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Brief Summary Text - BSTX (28) : 

In addition, VDE : (a) is very configurable, modifiable, and re-usable; (b) 
supports a wide range of useful capabilities that may be combined in different ways 
to accommodate most potential applications; (c) operates on a wide variety of 
electronic appliances ranging from hand-held inexpensive devices to large mainframe 
computers; (d) is able to ensure the various rights of a number of different 
parties, and a number of different rights protection schemes, simultaneously; (e) 
is able to preserve the rights of parties through a series of transactions that may 
occur at different times and different locations; (f) is able to flexibly 
accommodate different ways of securely delivering information and reporting usage; 
and (g) provides for electronic analogues to "real" money and credit, including 
anonymous electronic cash, to pay for products and services and to support personal 
(including home) banking and other financial activities. 

Brief Summary Text - BSTX (37) : 

VDE can protect a collection of rights belonging to various parties having in 
rights in, or to, electronic information. This information may be at one location 
or dispersed across (and/or moving between) multiple locations. The information may 
pass through a "chain" of distributors and a "chain" of users. Usage information 
may also be reported through one or -more "chains" of parties. In general, VDE 
enables parties that (a) have rights in electronic information, and/or (b) act as 
direct or indirect agents for parties who have rights in electronic information, to 
ensure that the moving, accessing, modifying, or otherwise using of information can 
be securely controlled by rules regarding how, when, where, and by whom such 
activities can be performed. 

Brief Summary Text - BSTX (52) : 

VDE allows electronic arrangements to be created involving two or more parties. 
These agreements can themselves comprise a collection of agreements between 
participants in a commercial value chain and/or a data security chain model for 
handling, auditing, reporting, and payment. It can provide efficient, reusable, 
modifiable, and consistent means for secure electronic content: distribution, usage 
control, usage payment, usage auditing, and usage reporting . Content may, for 
example, include: financial information such as electronic currency and credit; 
commercially distributed electronic information such as reference databases, 
movies, games, and advertising; and electronic properties produced by persons and 
organizations, such as documents, e-mail, and proprietary database information. 

Brief Summary Text - BSTX (55) : 
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VDE offers an architecture that avoids reflecting specific distribution biases, 
administrative and control perspectives, and content types. Instead, VDE provides a 
broad-spectrum, fundamentally configurable and portable, electronic transaction 
control, distributing, usage, auditing, reporting, and payment operating 
environment. VDE is not limited to being an application or application specific 
toolset that covers only a limited subset of electronic interaction activities and 
participants. Rather, VDE supports systems by which such applications can be 
created, modified, and/or reused. As a result, the present invention answers 
pressing, unsolved needs by offering a system that supports a standardized control 
environment which facilitates interoperability of electronic appliances, 
interoperability of content containers, and efficient creation of electronic 
commerce applications and models through the use of a programmable, secure 
electronic transactions management foundation and reusable and extensible 
executable components. VDE can support a single electronic "world" within which 
most forms of electronic transaction activities can be managed. 

Brief Summary Text - BSTX (58) : 

•VDE provides a secure, distributed electronic transaction management system for 
controlling the distribution and/or other usage of electronically provided and/or 
stored information. VDE controls auditing and reporting of electronic content 
and/or appliance usage. Users of VDE may include content creators who apply content 
usage, usage reporting, and/or usage payment related control information to 
electronic content and/or appliances for users such as end-user organizations, 
individuals, and content and/or appliance distributors. VDE also securely supports 
the payment of money owed (including money owed for content and/or appliance usage) 
by one or more parties to one or more other parties, in the form of electronic 
credit and/or currency. 

Brief Summary Text - BSTX (60) : 

Through use of VDE's control system, traditional content providers and users can 
create electronic relationships that reflect traditional, non-electronic 
relationships. They can shape and modify commercial relationships to accommodate 
the evolving needs of, and agreements among, themselves. VDE does not reguire 
electronic content providers and users to modify their business practices and 
personal preferences to conform to a metering and control application program that 
supports limited, largely fixed functionality. Furthermore, VDE permits 
participants to develop business models not feasible with non-electronic commerce, 
for example, involving detailed reporting of content usage information, large 
numbers of distinct transactions at hitherto infeasibly low price points, "pass- 
along" control information that is enforced without involvement or advance 
knowledge of the participants, etc. 

Brief Summary Text - BSTX (61) : 

The present invention allows content providers and users to formulate their 
transaction environment to accommodate: (1) desired content models, content control 
models, and content usage information pathways, (2) a complete range of electronic 
media and distribution means, (3) a broad range of pricing, payment, and auditing 
strategies, (4) very flexible privacy and/or reporting models, (5) practical and 
effective security architectures, and (6) other administrative procedures that 
together with steps (1) through (5) can enable most "real world" electronic 
commerce and data security models, including models unique to the electronic world. 

Brief Summary Text - BSTX (73) : 

Secure VDE hardware (also known as SPUs for Secure Processing Units), or VDE 
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installations that use software to substitute for, or complement, said hardware 
(provided by Host Processing Environments (HPEs)), operate in conjunction with 
secure communications, systems integration software, and distributed software 
control information and support structures, to achieve the electronic 
contract /rights protection environment of the present invention. Together, these 
VDE components comprise a secure, virtual, distributed content and/or appliance 
control, auditing (and other administration), reporting, and payment environment. 
In some embodiments and where commercially acceptable, certain VDE participants, 
such as clearinghouses that normally maintain sufficiently physically secure non- 
VDE processing environments, may be allowed to employ HPEs rather VDE hardware 
elements and interoperate, for example, with VDE end-users and content providers. 
VDE components together comprise a configurable, consistent, secure and "trusted" 
architecture for distributed, asynchronous control of electronic content and/or 
appliance usage. VDE supports a "universe wide" environment for electronic content 
delivery, broad dissemination, usage reporting, and usage related payment 
activities . 

Brief Summary Text - BSTX (74) : 

VDE provides generalized configurability. This results, in part, from 
decomposition of generalized requirements for supporting electronic commerce and 
data security into a broad range of constituent "atomic" and higher level 
components (such as load modules, data elements, and methods) that may be variously 
aggregated together to form control methods for electronic commerce applications, 
commercial electronic agreements, and data security arrangements. VDE provides a 
secure operating environment employing VDE foundation elements along with secure 
independently deliverable VDE components that enable electronic commerce models and 
relationships to develop. VDE specifically supports the unfolding of distribution 
models in which content providers, over time, can expressly agree to, or allow, 
subsequent content providers and/or users to participate in shaping the control 
information for, and consequences of, use of electronic content and/or appliances. 
A very broad range of the functional attributes important for supporting simple to 
very complex electronic commerce and data security activities are supported by 
capabilities of the present invention. As a result, VDE supports most types of 
electronic information and/or appliance: usage control (including distribution), 
security, usage auditing, reporting , other administration, and payment 
arrangements . 

Brief Summary Text - BSTX (77) : 

VDE provides important mechanisms for both enforcing commercial agreements and 
enabling the protection of privacy rights. VDE can securely deliver information 
from one party to another concerning the use of commercially distributed electronic 
content. Even if parties are separated by several "steps" in a chain (pathway) of 
handling for such content usage information, such information is protected by VDE 
through encryption and/or other secure processing. Because of that protection, the 
accuracy of such information is guaranteed by VDE, and the information can be 
trusted by all parties to whom it is delivered. Furthermore, VDE guarantees that 
all parties can trust that such information cannot be received by anyone other than 
the intended, authorized, party (ies) because it is encrypted such that only an 
authorized party, or her agents, can decrypt it. Such information may also be 
derived through a secure VDE process at a previous pathway-of-handling location to 
produce secure VDE reporting information that is then communicated securely to its 
intended recipient's VDE secure subsystem. Because VDE can deliver such information 
securely, parties to an electronic agreement need not trust the accuracy of 
commercial usage and/or other information delivered through means other than those 
under control of VDE. 

Brief Summary Text - BSTX (78) : 
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VDE participants in a commercial value chain can be "commercially" confident 
(that is, sufficiently confident for commercial purposes) that the direct 
(constituent) and/or "extended" electronic agreements they entered into through the 
use of VDE can be enforced reliably. These agreements may have both "dynamic" 
transaction management related aspects, such as content usage control information 
enforced through budgeting, metering, and/or reporting of electronic information 
and/or appliance use, and/or they may include "static" electronic assertions, such 
as an end-user using the system to assert his or her agreement to pay for services, 
not to pass to unauthorized parties electronic information derived from usage of 
content or systems, and/or agreeing to observe copyright laws. Not only can 
electronically reported transaction related information be trusted under the 
present invention, but payment may be automated by the passing of payment tokens 
through a pathway of payment (which may or may not be the same as a pathway for 
reporting ) . Such payment can be contained within a VDE container created 
automatically by a VDE installation in response to control information (located, in 
the preferred embodiment, in one or more permissions records) stipulating the 
"withdrawal" of credit or electronic currency (such as tokens) from an electronic 
account (for example, an account securely maintained by a user's VDE installation 
secure subsystem) based upon usage of VDE controlled electronic content and/or 
appliances (such as governments, financial credit providers, and users) . 

Brief Summary Text - BSTX (79) : 

VDE allows the needs of electronic commerce participants to be served and it can 
bind such participants together in a universe wide, trusted commercial network that 
can be secure enough to support very large amounts of commerce. VDE's security and 
metering secure subsystem core will be present at all physical locations where VDE 
related content is (a) assigned usage related control information (rules and 
mediating data), and/or (b) used. This core can perform security and auditing 
function s (including metering) that operate within a "virtual black box," a 
collection of distributed, very secure VDE related hardware instances that are 
interconnected by secured information exchange (for example, telecommunication) 
processes and distributed database means. VDE further includes highly configurable 
transaction operating system technology, one or more associated libraries of load 
modules along with affiliated data, VDE related administration, data preparation, 
and analysis applications, as well as system software designed to enable VDE 
integration into host environments and applications. VDE's usage control 
information, for example, provide for property content and/or appliance related: 
usage authorization, usage auditing (which may include audit reduction) , usage 
billing, usage payment, privacy filtering, reporting, and security related 
communication and encryption techniques. 

Brief Summary Text - BSTX (83) : 

VDE supports trusted (sufficiently secure) electronic information distribution 
and usage control models for both commercial electronic content distribution and 
data security applications. It can be configured to meet the diverse requirements 
of a network of interrelated participants that may include content creators, 
content distributors, client administrators, end users, and/or clearinghouses 
and/or other content usage information users. These parties may constitute a 
network of participants involved in simple to complex electronic content 
dissemination, usage control, usage reporting, and/or usage payment. Disseminated 
content may include both originally provided and VDE generated information (such as 
content usage information) and content control information may persist through both 
chains (one or more pathways) of content and content control information handling, 
as well as the direct usage of content. The configurability provided by the present 
invention is particularly critical for supporting electronic commerce, that is 
enabling businesses to create relationships and evolve strategies that offer 
competitive value. Electronic commerce tools that are not inherently configurable 
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and interoperable will ultimately fail to produce products (and services) that meet 
both basic requirements and evolving needs of most commerce applications. 

Brief Summary Text - BSTX (90) : 

VDE supports a general purpose foundation for secure transaction management, 
including usage control, auditing, reporting, and/or payment. This general purpose 
foundation is called "VDE Functions" ( "VDEFs" ) . VDE also * supports a collection of 
"atomic" application elements (e.g., load modules) that can be selectively 
aggregated together to form various VDEF capabilities called control methods and 
which serve as VDEF applications and operating system functions. When a host 
operating environment of an electronic appliance includes VDEF capabilities, it- is 
called a "Rights Operating System" (ROS) . VDEF load modules, associated data, and 
methods form a body of information that for the purposes of the present invention 
are called "control information." VDEF control information may be specifically 
associated with one or more pieces of electronic content and/or it may be employed 
as a general component of the operating system capabilities of a VDE installation. 

Brief Summary Text - BSTX (91) : 

VDEF transaction control elements reflect and enact content specific and/or more 
generalized administrative (for example, general operating system) control 
information. VDEF capabilities which can generally take the form of applications 
(application models) that have more or less configurability which can be shaped by 
VDE participants, through the use, for example, of VDE templates, to employ 
specific capabilities, along, for example, with capability parameter data to 
reflect the elements of one or more express electronic agreements between VDE 
participants in regards to the use of electronic content such as commercially 
distributed products. These control capabilities manage the use of, and/or auditing 
of use of, electronic content, as well as reporting information based upon content 
use, and any payment for said use. VDEF capabilities may "evolve" to reflect the 
requirements of one or more successive parties who receive or otherwise contribute 
to a given set of control information. Frequently, for a VDE application for a 
given content model (such as distribution of entertainment on CD-ROM, content 
delivery from an Internet repository, or electronic catalog shopping and 
advertising, or some combination of the above) participants would be able to 
securely select from amongst available, alternative control methods and apply 
related parameter data, wherein such selection of control method and/or submission 
of data would constitute their "contribution" of control information. 
Alternatively, or in addition, certain control methods that have been expressly 
certified as securely interoperable and compatible with said application may be 
independently submitted by a participant as part of such a contribution. In the 
most. general example, a generally certified load module (certified for a given VDE 
arrangement and/or content class) may be used with many or any VDE application that 
operates in nodes of said arrangement. These parties, to the extent they are 
allowed, can independently and securely add, delete, and/or otherwise modify the 
specification of load modules and methods, as well as add, delete or otherwise 
modify related information. 

Brief Summary Text - BSTX (95) : 

VDEF capabilities may be employed, and a VDE agreement may be entered into, by a 
plurality of parties without the VDEF capabilities being directly associated with 
the controlling of certain, specific electronic information. For example, certain 
one or more VDEF capabilities may be present at a VDE installation, and certain VDE 
agreements may have been entered into during the registration process for a content 
distribution application, to be used by such installation for securely controlling 
VDE content usage, auditing, reporting and/or payment. Similarly, a specific VDE 
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participant may enter into a VDE user agreement with a VDE content or electronic 
appliance provider when the user and/or her appliance register with such provider 
as a VDE installation and/or user. In such events, VDEF in place control 
information available to the user VDE installation may require that certain VDEF 
methods are employed, for example in a certain sequence, in order to be able to use 
all and/or certain classes, of electronic content and/or VDE applications. 

Brief Summary Text - BSTX (101) : 

VDE employs a variety of capabilities that serve as a foundation for a general 
purpose, sufficiently secure distributed electronic commerce solution. VDE enables 
an electronic commerce marketplace that supports divergent, competitive business 
partnerships, agreements, and evolving overall business models. For example, VDE 
includes features that: "sufficiently" impede unauthorized and/or uncompensated use 
of electronic information and/or appliances through the use of secure 
communication, storage, and transaction management technologies. VDE supports a 
model wide, distributed security implementation which creates a single secure 
"virtual" transaction processing and information storage environment. VDE enables 
distributed VDE installations to securely store and communicate information and 
remotely control the execution processes and the character of use of electronic 
information at other VDE installations and in a wide variety of ways; support low- 
cost, efficient, and effective security architectures for transaction control, 
auditing, reporting, and related communications and information storage. VDE may 
employ tagging related security techniques, the time-ageing of encryption keys, the 
compartmentalization of both stored control information (including differentially 
tagging such stored information to ensure against substitution and tampering) and 
distributed content (to, for many content applications, employ one or more content 
encryption keys that are unique to the specific VDE installation and/or user), 
private key techniques such as triple DES to encrypt content, public key techniques 
such as RSA to protect communications and to provide the benefits of digital 
signature and authentication to securely bind together the nodes of a VDE 
arrangement, secure processing of important transaction management executable code, 
and a combining of a small amount of highly secure, hardware protected storage 
space with a much larger "exposed" mass media storage space storing secured 
(normally encrypted and tagged) control and audit information. VDE employs special 
purpose hardware distributed throughout some or all locations of a VDE 
implementation: a) said hardware controlling important elements of: content 
preparation (such as causing such content to be placed in a VDE content container 
and associating content control information with said content), content and/or 
electronic appliance usage auditing, content usage analysis, as well as content 
usage control; and b) said hardware having been designed to securely handle 
processing load module control activities, wherein said control processing 
activities may involve a sequence of required control factors; support dynamic user 
selection of information subsets of a VDE electronic information product (VDE 
controlled content) . This contrasts with the constraints of having to use a few 
high level individual, pre-defined content provider information increments such as 
being required to select a whole information product or product section in order to 
acquire or otherwise use a portion of such product or section. VDE supports 
metering and usage control over a variety of increments (including "atomic" 
increments, and combinations of different increment types) that are selected ad hoc 
by a user and represent a collection of pre-identif ied one or more increments (such 
as one or more blocks of a preidentif ied nature, e.g., bytes, images, logically 
related blocks) that form a generally arbitrary, but logical to a user, content 
"deliverable." VDE control information (including budgeting, pricing and metering) 
can be configured so that it can specifically apply, as appropriate, to ad hoc 
selection of different, unanticipated variable user selected aggregations of 
information increments and pricing levels can be, at least in part, based on 
quantities and/or nature of mixed increment selections (for example, a certain 
quantity of certain text could mean associated images might be discounted by 15%; a 
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greater quantity of text in the "mixed" increment selection might mean the images 
are discounted 20%) . Such user selected aggregated information increments can 
reflect the actual requirements of a user for information and is more flexible than 
being limited to a single, or a few, high level, (e.g. product, document, database 
record) predetermined increments. Such high level increments may include quantities 
of information not desired by the user and as a result be more costly than the 
subset of information needed by the user if such a subset was available. In sum, 
the present invention allows information contained in electronic information 
products to be supplied according to user specification. Tailoring to user 
specification allows the present invention to provide the greatest value to users, 
which in turn will generate the greatest amount of electronic commerce activity. 
The user, for example, would be able to define an aggregation of content derived 
.from various portions of an available content product, but which, as a deliverable 
for use by the user, is an entirely unique aggregated increment. The user may, for 
example, select certain numbers of bytes of information from various portions of an 
information product, such as a reference work, and copy them to disc unencrypted 
form and be billed based on total number of bytes plus a surcharge on the number of 
"articles" that provided the bytes. A content provider might reasonably charge less 
for such a user defined information increment since the user does not require all 
of the content from all of the articles that contained desired information. This, 
process of defining a user desired information increment may involve artificial 
intelligence database search tools that contribute to the location of the most 
relevant portions of information from an information product and cause the 
automatic display to the user of .information describing search criteria hits for 
user selection or the automatic extraction and delivery of such portions to the 
user. VDE further supports a wide variety of predefined increment types including: 
bytes, images, content over time for audio or video, or any other increment that 
can be identified by content provider data mapping efforts, such as: sentences, 
paragraphs, articles, database records, and byte offsets representing increments of 
logically related information. 

Brief Summary Text - BSTX (102) : 

VDE supports as many simultaneous predefined increment types as may be practical 
for a given type of content and business model, securely store at a user's site 
potentially highly detailed information reflective of a user's usage of a variety 
of different content segment types and employing both inexpensive "exposed" host 
mass storage for maintaining detailed information in the form of encrypted data and 
maintaining summary information for security testing in highly secure special 
purpose VDE installation nonvolatile memory (if available) . support trusted chain 
of handling capabilities for pathways of distributed electronic information and/or 
for content usage related information. Such chains may extend, for example, from a 
content creator, to a distributor, a redistributor , a client user, and then may 
provide a pathway for securely reporting the same and/or differing usage 
information to one or more auditors, such as to one or more independent 
clearinghouses and then back to the content providers, including content creators. 
The same and/or different .pathways employed for certain content handling, and 
related content control information and reporting information handling, may also be 
employed as one or more pathways for electronic payment handling (payment is 
characterized in the present invention as administrative content) for electronic 
content and/or appliance usage. These pathways are used for conveyance of all or 
portions of content, and/or content related control information. Content creators 
and other providers can specify the pathways that, partially or fully, must be used 
to disseminate commercially distributed property content, content control 
information, payment administrative content, and/or associated usage reporting 
information. Control information specified by content providers may also specify 
which specific parties must or may (including, for example, a group of eligible 
parties from which a selection may be made) handle conveyed information. It may 
also specify what transmission means (for example telecommunication carriers or 
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media types) and transmission hubs must or may be used, support flexible auditing 
mechanisms, such as employing "bitmap meters," that achieve a high degree of 
efficiency of operation and throughput and allow, in a practical manner, the 
retention and ready recall of information related to previous usage activities and 
related patterns. This flexibility is adaptable to a wide variety of billing and 
security control strategies such as: upgrade pricing (e.g. suite purchases), 
pricing discounts (including quantity discounts), billing related time duration 
variables such as discounting new purchases based on the timing of past purchases, 
and security budgets based on quantity of different, logically related units of 
electronic information used over an interval of time. Use of bitmap ineters 
(including "regular" and "wide" bitmap meters) to record usage and/or purchase of 
information, in conjunction with other elements of the preferred embodiment of the 
present invention, uniquely supports efficient maintenance of usage history for: 
(a) rental, (b) flat fee licensing or purchase, (c) licensing or purchase discounts 
based upon historical usage variables, and (d) reporting to users in a manner 
enabling users to determine whether a certain item was acquired, or acquired within 
a certain time period (without requiring the use of conventional database 
mechanisms, which are highly inefficient for these applications) . Bitmap meter 
methods record activities associated with electronic appliances, properties, 
objects, or portions thereof, and/or administrative activities that are independent 
of specific properties, objects, etc., performed by a user and/or electronic 
appliance such that a content and/or appliance provider and/or controller of an 
administrative activity can determine whether a certain activity has occurred at 
some point, or during a certain period, in the past (for example, certain use of a 
commercial electronic content product and/or appliance) . Such determinations can 
then be used as part of pricing and/or control strategies of a content and/or 
appliance provider, and/or controller of an administrative activity. For example, 
the content provider may choose to charge only once for access to a portion of a 
property, regardless of the number of times that portion of the property is 
accessed by a user, support "launchable" content, that is content that can be 
provided by a content provider to an end-user, who can then copy or pass along the 
content to other end-user parties without requiring the direct participation of a 
content provider to register and/or otherwise initialize the content for use. This 
content goes "out of (the traditional distribution) channel" in the form of a 
"traveling object." Traveling objects are containers that securely carry at least 
some permissions information and/or methods that are required for their use (such 
methods need not be carried by traveling objects if the required methods will be 
available at, or directly available to, a destination VDE installation) . Certain 
travelling objects may be used at some or all VDE installations of a given VDE 
arrangement since they can make available the content control information necessary 
for content use without requiring the involvement of a commercial VDE value chain 
participant or data security administrator (e.g. a control officer or network 
administrator) . As long as traveling object control information requirements are 
available at the user VDE installation secure subsystem (such as the presence of a 
sufficient quantity of financial credit from an authorized credit provider), at 
least some travelling object content may be used by a receiving party without the 
need to establish a connection with a remote VDE authority (until, for example, 
budgets are exhausted or a time content usage reporting interval has occurred) . 
Traveling objects can travel "out-of-channel, " allowing, for example, a user to 
give a copy of a traveling object whose content is a software program, a movie or a 
game, to a neighbor, the neighbor being able to use the traveling object if 
appropriate credit (e.g. an electronic clearinghouse account from a clearinghouse 
such as VISA or AT&T) is available. Similarly, electronic information that is. 
generally available on an Internet, or a similar network, repository might be 
provided in the form of a traveling object that can be downloaded and subsequently 
copied by the initial downloader and then passed along to other parties who may 
pass the object on to additional parties, provide very flexible and extensible user • 
identification according to individuals, installations, by groups such as classes, 
and by function and hierarchical identification employing a hierarchy of levels of 
client identification (for example, client organization ID, client department ID, 
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client network ID, client project ID, and client employee ID, or any appropriate 
subset of the above) . provide a general purpose, secure, component based content 
control and distribution system that functions as a foundation transaction 
operating system environment that employs executable code pieces crafted for 
transaction control and auditing. These code pieces can be reused to optimize 
efficiency in creation and operation of trusted, distributed transaction management 
arrangements. VDE supports providing such executable code in the form of "atomic" 
load modules and associated data. Many such load modules are inherently 
configurable, aggregatable, portable, and extensible and singularly, or in 
combination (along with associated data), run as control methods under the VDE 
transaction operating environment. VDE can satisfy the requirements of widely 
differing electronic commerce and data security applications by, in part, employing 
this general purpose transaction management foundation to securely process VDE 
transaction related control methods. Control methods are created primarily through 
the use of one or more of said executable, reusable load module code pieces 
(normally in the form of executable object components) and associated data. The 
component nature of control methods allows the present invention to efficiently 
operate as a highly configurable content control system. Under the present 
invention, content control models can be iteratively and asynchronously shaped, and 
otherwise updated to accommodate the needs of VDE participants to the extent that 
such shaping and otherwise updating conforms to constraints applied by a VDE 
application, if any (e.g., whether new component assemblies are accepted and, if 
so, what certification requirements exist for' such component assemblies or whether 
any or certain participants may shape any or certain control information by 
selection amongst optional control information (permissions record) control 
methods. This iterative (or concurrent) multiple participant process occurs as a 
result of the submission and use of secure, control information components 
(executable code such as load modules and/or methods, and/or associated data) . 
These components may be contributed independently by secure communication between 
each control information influencing VDE participants VDE installation and may 
require certification for use with a given application, where such certification 
was provided by a certification service manager for the VDE arrangement who ensures 
secure interoperability and/or reliability (e.g., bug control resulting from 
interaction) between appliances and submitted control methods. The transaction 
management control functions of a VDE electronic appliance transaction operating 
environment interact with non-secure transaction management operating system 
function s to properly direct transaction processes and data related to electronic 
information security, usage control, auditing, and usage reporting . VDE provides 
the capability to manages resources related to secure VDE content and/or appliance 
control information execution and data storage, facilitate creation of application 
and/or system functionality under VDE and to facilitate integration into electronic 
appliance environments of load modules and methods created under the present 
invention. To achieve this, VDE employs an Application Programmer's Interface (API) 
and/or a transaction operating system (such as a ROS) programming language with 
incorporated function s, both of which support the use of capabilities and can be 
used to efficiently and tightly integrate VDE functionality into commercial and 
user applications, support user interaction through: (a) "Pop-Up" applications 
which, for example, provide messages to users and enable users to take specific 
actions such as approving a transaction, (b) stand-alone VDE applications that 
provide administrative environments for user activities such as: end-user 
preference specifications for limiting the price per transaction, unit of time, 
and/or session, for accessing history information concerning previous transactions, 
for reviewing financial information such as budgets, expenditures (e.g. detailed 
and/or summary) and usage analysis information, and (c) VDE aware applications 
which, as a result of the use of a VDE API and/or a transaction management (for 
example, ROS based) programming language embeds VDE "awareness" into commercial or 
internal software (application programs, games, etc.) so that VDE user control 
information and services are seamlessly integrated into such software and can be 
directly accessed by a user since the underlying functionality has been integrated 
into the commercial software's native design. For example, in a VDE aware word 
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processor application, a user may be able to "print" a document into a VDE content 
container object, applying specific control information by selecting from- amongst a 
series of different menu templates for different purposes (for example, a 
confidential memo template for internal organization purposes may restrict the 
ability to "keep, " that is to make an electronic copy of the memo) . employ 
"templates" to ease the process of configuring capabilities of the present 
invention as they relate to specific industries or businesses. Templates are 
applications or application add-ons under the present invention. Templates support 
the efficient specification and/or manipulation of criteria related to specific 
content types, distribution approaches, pricing mechanisms, user interactions with 
content and/or administrative activities, and/or the like. Given the very large 
range of capabilities and configurations supported by the present invention, 
reducing the range of configuration opportunities to a manageable subset 
particularly appropriate for a given business model allows the full configurable 
power of the present invention to be easily employed by "typical" users who would 
be otherwise burdened with complex programming and/or configuration design 
responsibilities template applications can also help ensure that VDE related 
processes are secure and optimally bug free by reducing the risks associated with 
the contribution of independently developed load modules, including unpredictable 
aspects of code interaction between independent modules and applications, as well 
as security risks associated with possible presence of viruses in such modules. 
VDE, through the use of templates, reduces typical user configuration 
responsibilities to an appropriately focused set of activities including selection 
of method types (e.g. functionality) through menu choices such as multiple choice, 
icon selection, and/or prompting for method parameter data (such as identification 
information, prices, budget limits, dates, periods of time, access rights to 
specific content, etc.) that supply appropriate and/or necessary data for control 
information purposes. By limiting the typical (non-programming) user to a limited 
subset of configuration activities whose general configuration environment 
(template) has been preset to reflect general requirements corresponding to that 
user, or a content or other business model can very substantially limit 
difficulties associated with content containerization (including placing initial 
control information on content), distribution, client administration, electronic 
agreement implementation, end-user interaction, and clearinghouse activities, 
including associated interoperability problems (such as conflicts resulting from 
security, operating system, and/or certification incompatibilities) . Use of 
appropriate VDE templates can assure users that their activities related to content 
VDE containerization, contribution of other control information, communications, 
encryption techniques and/or keys, etc. will be in compliance with specifications 
for their distributed VDE arrangement. VDE templates constitute preset 
configurations that can normally be reconf igurable to allow for new and/or modified 
templates that reflect adaptation into new industries as they evolve or to reflect 
the evolution or other change of an existing industry. For example, the template 
concept may be used to provide individual, overall frameworks for organizations and 
individuals that create, modify, market, distribute, consume, and/or otherwise use 
movies, audio recordings and live performances, magazines, telephony based retail 
sales, catalogs, computer software, information data bases, multimedia, commercial 
communications, advertisements, market surveys, inf omercials, games, CAD/CAM 
services for numerically controlled machines, and the like. As the context 
surrounding these templates changes or evolves, template applications provided 
under the present invention may be modified to meet these changes for broad use, or 
for more focused activities. A given VDE participant may have a plurality of 
templates available for different tasks. A party that places content in its initial 
VDE container may have a variety of different, configurable templates depending on 
the type of content and/or business model related to the content. An end-user may 
have different configurable templates that can be applied to different document 
types (e-mail, secure internal documents, database records, etc.) and/or subsets of 
users (applying differing general sets of control information to different bodies 
of users, for example, selecting a list of users who may, under certain preset 
criteria, use a certain document) . Of course, templates may, under certain 
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circumstances have fixed control information and not provide for user selections or 
parameter data entry, support plural, different control models regulating the use 
and/or auditing of either the same specific copy of electronic information content 
and/or differently regulating different copies (occurrences) of the same electronic 
information content. Differing models for billing, auditing, and securi-ty can be 
applied to the same piece of electronic information content and such differing sets 
of control information may employ, for control purposes, the same, or differing, 
granularities of electronic information control increments. This includes 
supporting variable control information for budgeting and auditing usage as applied 
to a variety of predefined increments of electronic information, including 
employing a variety of different budgets and/or metering increments for a given 
electronic information deliverable for: billing units of measure, credit 

Brief Summary Text - BSTX (103) : 

limit, security budget limit and security content metering increments, and/or 
market surveying and customer profiling content • metering increments. For example, a 
CD-ROM disk with a database of scientific articles might be in part billed 
according to a formula based on the number of bytes decrypted, number of articles 
containing said bytes decrypted, while a security budget might limit the use of 
said database to no more than 5% of the database per month for users on the wide 
area network it is installed on. provide mechanisms to persistently maintain 
trusted content usage and reporting control information through both a sufficiently 
secure chain of handling of content and content control information -and through 
various forms of usage of such content wherein said persistence of control may 
survive such use. Persistence of control includes the ability to extract 
information from a- VDE container object by creating a new container whose contents 
are at least in part secured and that contains both the extracted content and at 
least a portion of the control information which control information of the 
original container and/or are at least in part produced by control information of 
the original container for this purpose and/or VDE installation control information 
stipulates should persist and/or control usage of content in the newly formed 
container. Such control information can continue to manage usage of container 
content if the container is "embedded" into another VDE managed object, such as an 
object which contains plural embedded VDE containers, each of which contains 
content derived (extracted) from a different source, enables users, other value 
chain participants (such as clearinghouses and government agencies), and/or user 
organizations, to specify preferences or requirements related to their use of 
electronic content and/or appliances. Content users, such as end-user customers 
using commercially distributed content (games, information resources, software 
programs, etc.), can define, if allowed by senior control information, budgets, 
and/or other control information, to manage their own internal use of content. Uses 
include, for example, a user setting a limit on the price for electronic documents 
that the user is willing to pay without prior express user authorization, and the 
user establishing the character of metering information he or she is willing to 
allow to be collected (privacy protection) . This includes providing the means for 
content users to protect the privacy of information derived from their use of a VDE 
installation and content and/or appliance usage auditing. In particular, VDE can 
prevent information related to a participant's usage of electronic content from 
being provided to other parties without the participant's tacit or explicit 
agreement, provide mechanisms that allow control information to "evolve" and be 
modified according, at least in part, to independently, securely delivered further 
control information. Said control information may include executable code (e.g., 
load modules) that has been certified as acceptable (e.g., reliable and trusted) 
for use with a specific VDE application, class of applications, and/or a VDE 
distributed arrangement. This modification (evolution) of control information can 
occur upon content control information (load modules and any associated data) 
circulating to one or more VDE participants in a pathway of handling of control 
information, or it may occur upon control information being received from a VDE 
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participant. Handlers in a pathway of handling of content control information, to 
the extent each is authorized, can establish, modify, and/or contribute to, 
permission, auditing, payment, and reporting control information related to 
controlling, analyzing, paying for, and/or reporting usage of, electronic content 
and/or appliances (for example, as related to usage of VDE controlled property 
content) . Independently delivered (from an independent source which is independent 
except in regards to certification) , at least in part secure, control information 
can be employed to securely modify content control information when content control 
information has flowed from one party to another party in a sequence of VDE content 
control information handling. This modification employs, for example, one or more 
VDE component assemblies being securely processed in a VDE secure subsystem. In an 
alternate embodiment, control information may be modified by a senior party through 
use of their VDE installation secure sub-system after receiving submitted, at least 
in part secured, control information from a "junior" party, normally in the form of 
a VDE administrative object. Control information passing along VDE pathways can 
represent a mixed control set, in that it may include: control information that 
persisted through a sequence of control information handlers, other control 
information that was allowed to be modified, and further control information 
representing new control information and/or mediating data. Such a control set 
represents an evolution of control information for disseminated content. In this 
example the overall content control set for a VDE content container is "evolving" 
as it securely (e.g. communicated in encrypted form and using authentication and 
digital signaturing techniques) passes, at least in part, to a new participants VDE 
installation where the proposed control information is securely received and 
handled. The received control information may be integrated (through use of the 
receiving parties 1 VDE installation secure sub-system) with in-place control 
information through a negotiation process involving both control information sets. 
For example, the modification, within the secure sub-system of a content provider's 
VDE installation, of content control information for a certain VDE content 
container may have occurred as a result of the incorporation of required control 
information provided by a financial credit provider. Said credit provider may have 
employed their VDE installation to prepare and securely communicate (directly or 
indirectly) said required control information to said content provider. 
Incorporating said required control information enables a content provider to allow 
the credit provider's credit to be employed by a content end-user to compensate for 
the end-user's use of VDE controlled content and/or appliances, so long as said 
end-user has a credit account with said financial credit provider and said credit 
account has sufficient credit available. Similarly, -control information requiring 
the payment of taxes and/or the provision of revenue information resulting from 
electronic commerce activities may be securely received by a content provider. This 
control information may be received, for example, from a government agency. Content 
providers might be required by law to incorporate such control information into the 
control information for commercially distributed content and/or services related to 
appliance usage. Proposed control information is used to an extent allowed by 
senior control information and as determined by any negotiation trade-offs that 
satisfy priorities stipulated by each set (the received set and the proposed set) . 
VDE also accommodates different control schemes specifically applying to different 
participants (e.g., individual participants and/or participant classes (types)) in 
a network of VDE content handling participants, support multiple simultaneous 
control models for the same content property and/or property portion. This allows, 
for example, for concurrent business activities which are dependent on electronic 
commercial product content distribution, such as acquiring detailed market survey 
information and/or supporting advertising, both of which can increase revenue and 
result in lower content costs to users and greater value to content providers. Such 
control information and/or overall control models may be applied, as determined or 
allowed by control information, in differing manners to different participants in a 
pathway of content, reporting, payment, and/or related control information 
handling. VDE supports applying different content control information to the same 
and/or different content and/or appliance usage related activities, and/or to 
different parties in a content and/or appliance usage model, such that different 
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parties (or classes of VDE users, for example) are subject to differing control 
information managing their use of electronic information content. For example, 
differing control models based on the category of a user as a distributor of a VDE 
controlled content object or an end-user of such content may result in different 
budgets being applied. Alternatively, for example, a one distributor may have the 
right to distribute a different array of properties than another distributor (from 
a common content collection provided, for example, on optical disc) . An individual, 
and/or a class or other grouping of end-users, may have different costs (for 
example, a student, senior citizen, and/or poor citizen user of content who may be 
provided with the same or differing discounts) than a "typical" content user, 
support provider revenue information resulting from customer use of content and/or 
appliances, and/or provider and/or end-user payment of taxes, through the transfer 
of credit and/or electronic currency from said end-user and/or provider to a 
government agency, might occur "automatically" as a result of such received control 
information causing the generation of a VDE content container whose content 
includes customer content usage information reflecting secure, trusted revenue 
summary information and/or detailed user transaction listings (level of detail 
might depend, for example on type or size of transaction--inf ormation regarding a 
bank interest payment to a customer or a transfer of a large (e.g. over $10,000) 
might be, by law, automatically reported to the government) . Such summary and/or 
detailed information related to taxable events and/or currency, and/or creditor 
currency transfer, may be passed along a pathway of reporting and/or payment to the 
government in a VDE container. Such a container may also be used for other VDE 
related content usage reporting information, support the flowing of content control 
information through different "branches" of content control information handling so 
as to accommodate, under the present invention's preferred embodiment, diverse 
controlled distributions of VDE controlled content. This allows different parties 
to employ the same initial electronic content with differing (perhaps competitive) 
control strategies. In this instance, a party who first placed control information 
on content can make certain control assumptions and these assumptions would evolve 
into more specific and/or extensive control assumptions. These control assumptions 
can evolve during the branching sequence upon content model- participants submitting 
control information changes, for example, for use in "negotiating" with "in place" 
content control information. This can result in new or modified content control 
information and/or it might involve the selection of certain one or more already 
"in-place" content usage control methods over in-place alternative methods, as well 
as the submission of relevant control information parameter data. This form of 
evolution of different control information sets applied to different copies of the 
same electronic property content and/or appliance results from VDE control 
information flowing "down" through different branches in an overall pathway of 
handling and control and being modified differently as it diverges down these 
different pathway branches. This ability of the present invention to support 
multiple pathway branches for the flow of both VDE content control information and 
VDE managed content enables an electronic commerce marketplace which supports 
diverging, competitive business partnerships, agreements, and evolving overall 
business models which can employ the same content properties combined, for example, 
in differing collections of content representing differing at least in part 
competitive products, enable a. user to securely extract, through the use of the 
secure subsystem at the user's VDE installation, at least a portion of the content 
included within a VDE content container to produce a new, secure object (content 
container) , such that the extracted information is maintained in a continually 
secure manner through the extraction process. Formation of the new VDE container 
containing such extracted content shall result in control information consistent 
with, or specified by, the source VDE content container, and/or local. VDE 
installation secure subsystem as appropriate, content control information. Relevant 
control information, such as security and administrative information, derived, at 
least in part, from the parent (source) object's control information, will normally 
be automatically inserted into a new VDE content container object containing 
extracted VDE content. This process typically occurs under the control framework of 
a parent object and/or VDE installation control information executing at the user's 
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VDE installation secure subsystem (with, for example, at least a portion of this 
inserted control information being stored securely in encrypted form in one or more 
permissions records) . In an alternative embodiment, the derived content control 
information applied to extracted content may be in part or whole derived from, or 
employ, content control information stored remotely from the VDE installation that 
performed the secure extraction such as at a remote server location. As with the 
content control information for most VDE managed content, features of the present 
invention allows the content's control information to: (a) "evolve," for example, 
the extractor of content may add new control methods and/or modify control 
parameter data, such as VDE application compliant methods, to the extent allowed by 
the content's in-place control information. Such new control information might 
specify, for example, who may use at least a portion of the new object, and/or how 
said at least a portion of said extracted content may be used (e.g. when at least a 
portion may be used, or what portion or quantity of portions may be used) ; (b) 
allow a user to combine additional content with at least a portion of said 
extracted content, such as material authored by the extractor and/or content (for 
example, images, video, audio, and/or text) extracted from one or more other VDE 
container objects for placement directly into the new container; (c) allow a user 
to securely edit at least a portion of said content while maintaining said content 
in a secure form within said VDE content container; (d) append extracted content to 
a pre-existing VDE content container object and attach associated control 
information—in these cases, user added information may be secured, e.g., 
encrypted, in part or as a whole, and may be subject to usage and/or auditing 
control information that differs from the those applied to previously in place 
object content; (e) preserve VDE control over one or more portions of extracted 
content after various forms of usage of said portions, for example, maintain 
content in securely stored form while allowing "temporary" on screen display of 
content or allowing a software program to be maintained in secure form but 
transiently decrypt any encrypted executing portion of said program (all, or only a 
portion, of said program may be encrypted to secure the program) . Generally, the 
extraction features of the present invention allow users to aggregate and/or 
disseminate and/or otherwise use protected electronic content information extracted 
from content container sources while maintaining secure VDE capabilities thus 
preserving the rights of providers in said content information after various 
content usage processes, support the aggregation of portions of VDE controlled 
content, such portions being subject to differing VDE content container control 
information, wherein various of said portions may have been provided by 
independent, different content providers from one or more different locations 
remote to the user performing the aggregation. Such aggregation, in the preferred 
embodiment of the present invention, may involve preserving at least a portion of 
the control information (e.g., executable code such as load modules) for each of 
various of said portions by, for example, embedding some or all of such portions 
individually as VDE content container objects within an overall VDE content 
container and/or embedding some or all of such portions directly into a VDE content 
container. In the latter case, content control information of said content 
container may apply differing control information sets to various of such portions 
based upon said portions original control information requirements before 
aggregation. Each of such embedded VDE content containers may have its own control 
information in the form of one or more permissions records; Alternatively, a 
negotiation between control information associated with various aggregated portions 
of electronic content, may produce a control information set that would govern some 
or 

Brief Summary Text - BSTX (104) : 

all of the aggregated content portions. The VDE content control information 
produced by the negotiation may be uniform (such as having the same load modules 
and/or component assemblies, and/or it may apply differing such content control 
information to two or more portions that constitute an aggregation of VDE 
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controlled content such as differing metering, budgeting, billing and/or payment 
models. For example, content usage payment may be automatically made, either 
through a clearinghouse, or directly, to different content providers for different 
potions, enable flexible metering of, or other collection of information related 
to, use of electronic content and/or electronic appliances. A feature of the 
present invention enables such flexibility of metering control mechanisms to 
accommodate a simultaneous, broad array of: (a) different parameters related to 
electronic information content use; (b) different increment units (bytes, 
documents, properties, paragraphs, images, etc.) and/or other organizations of such 
electronic content; and/or (c) different categories of user and/or VDE installation 
types, such as client organizations, departments, projects, networks, and/or 
individual users, etc. This feature of the present invention can be employed for 
content security, usage analysis (for example, market surveying), and/or 
compensation based upon the use and/or exposure to VDE managed content. Such 
metering is a flexible basis for ensuring payment for content royalties, licensing, 
purchasing, and/or advertising. A feature of the present invention provides for 
payment means supporting flexible electronic currency and credit mechanisms, 
including the ability to securely maintain audit trails reflecting information 
related to use of such currency or credit. VDE supports multiple differing 
hierarchies of client organization control information wherein an organization 
client administrator distributes control information specifying the. usage rights of 
departments, users, and/or projects. Likewise, a department (division) network 
manager can function as a distributor (budgets, access rights, etc.) for department 
networks, projects, and/or users, etc. provide scalable, integratable, standardized 
control means for use on electronic appliances ranging from inexpensive consumer 
(for example, television set-top appliances) and professional devices (and hand- 
held PDAs) to servers, mainframes, communication switches, etc. The scalable 
transaction management/auditing technology of the present invention will result in 
more efficient and reliable interoperability amongst devices functioning in 
electronic commerce and/or data security environments. As standardized physical 
containers have become essential to the shipping of "physical goods around the 
world, allowing these physical containers to universally "fit "unloading equipment, 
efficiently use truck and train space, and accommodate known arrays of objects (for 
example, boxes) in an efficient manner, so VDE electronic content containers may, 
as provided by the present invention, be able to efficiently move electronic 
information content (such as commercially published properties, electronic currency 
and credit, and content audit information), and associated content control 
information, around the world. Interoperability is fundamental to efficient 
electronic commerce. The design of the VDE foundation, VDE load modules, and VDE 
containers, are important features that enable the VDE node operating environment 
to be compatible with a very broad range of electronic appliances. The ability, for 
example, for control methods based on load modules to execute in very "small" and 
inexpensive secure sub-system environments, such as environments with very little 
read/write memory, while also being able to execute in large memory sub-systems 
that may be used in more expensive electronic appliances, supports consistency 
across many machines. This consistent VDE operating environment, including its 
control structures and container architecture, enables the use of standardized VDE 
content containers across a broad range of device types and host operating 
environments. Since VDE capabilities can be seamlessly integrated as extensions, 
additions, and/or modifications to fundamental capabilities of electronic 
appliances and host operating systems, VDE containers, content control information, 
and the VDE foundation will be able to work with many device types and these device 
types will be able to consistently and efficiently interpret and enforce VDE 
control information. Through this integration users can also benefit from a 
transparent interaction with many of the capabilities of VDE. VDE integration with 
software operating on a host electronic appliance supports a variety of 
capabilities that would be unavailable or less secure without such integration. 
Through integration with one or more device applications and/or device operating 
environments, many capabilities of the present invention can be presented as 
inherent capabilities of a given electronic appliance, operating system, or 



http://127.0.0.1:4343/C:/APPS/east/cache/eas2004012U61036636.tmp?text_fo^ 1/21/04 



DOCUMENT-IDENTIFIER: US 6363488 Bl 



Page 16 of 45 



appliance application. For example,, features of the present invention include: (a) 
VDE system software to in part extend and/or modify host operating systems such 
that they possesses VDE capabilities, such as enabling secure transaction 
processing and electronic information storage; (b) one or more application programs 
that in part represent tools associated with VDE operation; and/or (c) code to be 
integrated into application programs, wherein such code incorporates references 
into VDE system software to integrate VDE capabilities and makes such applications 
VDE aware (for example, word processors, database retrieval applications, 
spreadsheets, multimedia presentation authoring tools, film editing software, music 
editing software such as MIDI applications and the like, robotics control systems 
such as those associated with CAD /CAM environments and NCM software and the like, 
electronic mail systems, teleconferencing software, and other data authoring, 
creating, handling, and/or usage applications including combinations of the above) . 
These one or more features (which may also be implemented in firmware or hardware) 
may be employed in conjunction with a VDE node secure hardware processing 
capability, such as a microcontroller (s) , microprocessor (s ) , other CPU(s) or other 
digital processing logic, employ audit reconciliation and usage pattern evaluation 
processes that assess, through certain, normally network based, transaction 
processing reconciliation and threshold checking activities, whether certain 
violations of security of a VDE arrangement have occurred. These processes are 
performed remote to VDE controlled content end-user VDE locations by assessing, for 
example, purchases, and/or requests, for electronic properties by a given VDE 
installation. Applications for such reconciliation activities include assessing 
whether the quantity of remotely delivered VDE controlled content corresponds to 
the amount of financial credit and/or electronic currency employed for the use of 
such content. A trusted organization can acquire information from content providers 
concerning the cost for content provided to a given VDE installation and/or user 
and compare this cost for content with the credit and/or electronic currency 
disbursements for that installation and/or user. Inconsistencies in the amount of 
content delivered versus the amount of disbursement can prove, and/or indicate, 
depending on the circumstances, whether the local VDE installation has been, at 
least to some degree, compromised (for example, certain important system security 
function s, such as breaking encryption for at least some portion of the secure 
subsystem and/or VDE controlled content by uncovering one or more keys) . 
Determining whether irregular patterns (e.g. unusually high demand) of content 
usage, or requests for delivery of certain kinds of VDE controlled information 
during a certain time period by one or more VDE installations and/or users 
(including, for example, groups of related users whose aggregate pattern of usage 
is suspicious) may also be useful in determining whether security at such one or 
more installations, and/or by such one or more users, has been compromised, 
particularly when used in combination with an assessment of electronic credit 
and/or currency provided to one or more VDE users and/or installations, by some or 
all of their credit and/or currency suppliers, compared with the disbursements made 
by such users and/or installations.' support security techniques- that materially 
increase the time required to "break" a system's integrity. This includes using a 
collection of techniques that minimizes the damage resulting from comprising some 
aspect of the security features of the present inventions, provide a family of 
authoring, administrative, reporting, payment, and billing tool user applications 
that comprise components of the present invention's trusted/secure, universe wide, 
distributed transaction control and administration system. These components support 
VDE related: object creation (including placing control information on content), 
secure object distribution and management (including distribution control 
information, financial related, and other usage analysis), client internal VDE 
activities administration and control, security management, user interfaces, 
payment disbursement, and clearinghouse related functions. These components are 
designed to support highly secure, uniform, consistent, and standardized^ 
electronic commerce and/or data security pathway (s) of handling, reporting, and/or 
payment; content control and administration; and human factors (e.g. user 
interfaces) . support the operation of a plurality of clearinghouses, including, for 
example, both financial and user clearinghouse activities, such as those performed 
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by a client administrator in a large organization to assist in the organization's 
use of a VDE arrangement, including usage information analysis, and control of VDE 
activities by individuals and groups of employees such as specifying budgets and 
the character of usage rights available under VDE for certain groups of and/or 
individual, client personnel, subject to control information series to control 
information submitted by the client administrator. At a clearinghouse, one or more 
VDE installations may operate together with a trusted distributed database 
environment (which may include concurrent database processing means) . A financial 
clearinghouse normally receives at its location securely delivered content usage 
information, and user requests (such as requests for further credit, electronic 
currency, and/or higher credit limit) . Reporting of usage information and user 
requests can be used for supporting electronic currency, billing, payment and 
credit related activities, and/or for user profile analysis and/or broader market 
survey analysis and marketing (consolidated) list generation or other information 
derived, at least in part, from said usage information. This information can be 
provided to content providers or other parties, through secure, authenticated 
encrypted communication to the VDE installation secure subsystems. Clearinghouse 
processing means would normally be connected to specialized I/O means, which may 
include high speed telecommunication switching means that may be used for secure 
communications between a clearinghouse and other VDE pathway participants, securely 
support electronic currency and credit usage control, storage, and communication 
at, and between, VDE installations. VDE further supports automated passing of 
electronic currency and/or credit information, including payment tokens (such as in 
the form of electronic currency or credit) or other payment information, through a 
pathway of payment, which said pathway may or may not be the same as a pathway for 
content usage information reporting . Such payment may be placed into a VDE 
container created automatically by a VDE installation in response to control 
information stipulating the "withdrawal" of credit or electronic currency from an 
electronic credit or currency account based upon an amount owed resulting from 
usage of VDE controlled electronic content and/or appliances. Payment credit or 
currency may then be automatically communicated in protected (at least in part 
encrypted) form through telecommunication of a VDE container to an appropriate 
party such as a clearinghouse, provider of original property content or appliance, 
or an agent for such provider (other than a clearinghouse) . Payment information may 
be packaged in said VDE content container with, or without, related content usage 
information, such as metering information. An aspect of the present invention 
further enables certain information regarding currency use to be specified as 
unavailable to certain, some, or all VDE parties ("conditionally" to fully 
anonymous currency) and/or further can regulate certain content information, such 
as currency and/or credit use related information (and/or other electronic 
information usage data ) to be available only under certain strict circumstances, 
such as a court order (which may itself require authorization through the use of a 
court controlled VDE installation that may be required to securely access 
"conditionally" anonymous information) . Currency and credit information, under the 
preferred embodiment of the present invention, is treated as administrative 
content; support fingerprinting (also known as watermarking) for embedding in 
content such that when content protected under the present invention is released in 
clear form from a VDE object (displayed, printed, communicated, extracted, and/or 
saved) , information representing the identification of the user and/or VDE 
installation responsible for transforming the content into clear form is embedded 
into the released content. Fingerprinting is useful in providing an ability to 
identify who extracted information in clear form a VDE container, or who made a 
copy of a VDE object or a portion of its contents. Since the identity of the user 
and/or other identifying information may be embedded in an obscure or generally 
concealed manner, in VDE container content and/or control information, potential 
copyright violators may be deterred from unauthorized extraction or copying. 
Fingerprinting normally is embedded into unencrypted electronic content or control 
information, though it can be embedded into encrypted content and later placed in 
unencrypted content in a secure VDE installation sub-system as the encrypted 
content carrying the fingerprinting information is decrypted. Electronic 
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information, such as the content of a VDE container, may be fingerprinted as it 
leaves a network (such as Internet) location bound for a receiving party. Such 
repository information may be maintained in unencrypted form prior to communication 
and be encrypted as it leaves the repository. Fingerprinting would preferably take 
place as the content leaves the repository, but before the encryption step. 
Encrypted repository content can be decrypted, for example in a secure VDE sub- 
system, fingerprint information can be inserted, and then the content can be re- 
encrypted for transmission. Embedding identification information of the intended 
recipient user and/or VDE installation into content as it leaves, for example, an 
Internet repository, would provide important information that would identify or 
assist in identifying any party that managed to compromise the security of a VDE 
installation or the delivered content. If a party produces an authorized clear form 
copy of VDE controlled content, including making unauthorized copies of an 
authorized clear form copy, fingerprint information would point back to that 
individual and/or his or her VDE installation. Such hidden information will act as 
a strong disincentive that should dissuade a substantial portion of potential 
content "pirates" from stealing other parties electronic information. Fingerprint 
information identifying a receiving party and/or VDE installation can be embedded 
into a VDE object before, or during, decryption, replication, or communication of 
VDE content objects to receivers . Fingerprinting electronic content before it is 
encrypted for transfer to a customer or other user provides information that can be 
very useful for identifying who received certain content which may have then been 
distributed or made available in unencrypted form. This information would be useful 
in tracking who may have "broken" the security of a VDE installation and was 
illegally making certain electronic content available to others. Fingerprinting may 
provide additional, available information such as time and/or date of the release 
(for example extraction) of said content information. Locations for ^inserting * 
fingerprints may be specified by VDE installation and/or content container control 
information. This information may specify that certain areas and/or precise 
locations within properties should be used for fingerprinting, such as one or more 
certain fields of information or information types. Fingerprinting information may 
be incorporated into a property by modifying in a normally undetectable way color 
frequency and/or the brightness of certain image pixels, by slightly modifying 
certain audio signals as to frequency, by modifying font character formation, etc. 
Fingerprint information, itself, should be encrypted so as to make it particularly 
difficult for tampered fingerprints to be interpreted as valid. Variations in 
fingerprint 

Brief Summary Text - BSTX (105) : 

locations for different copies of the same property; "false" fingerprint 
information; and multiple copies of fingerprint information within a specific 
property or other content which copies employ different fingerprinting techniques 
such as information distribution patterns, frequency and/or brightness 
manipulation, and encryption related techniques, are features of the present 
invention for increasing the difficulty of an unauthorized individual identifying 
fingerprint locations and erasing and/or modifying fingerprint information, provide 
smart object agents that can carry requests, data, and/or methods, including 
budgets, authorizations, credit or currency, and content. For example, smart 
objects may travel to and/or from remote information resource locations and fulfill 
requests for electronic information content. Smart objects can, for example, be 
transmitted to a remote location to perform a specified database search on behalf 
of a user or otherwise "intelligently" search remote one or more repositories of 
information for user desired information. After identifying desired information at 
one or more remote locations, by for example, performing one or more database 
searches, a smart object may return via communication to the user in the form of a 
secure "return object" containing retrieved information. A user may be charged for 
the remote retrieving of information, the returning of information to the user's 
VDE installation, and/or the use of such information. In the latter case, a user 
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may be charged only for the information in the return object that the user actually 
uses. Smart objects may have the means to request use of one or more services 
and/or resources . Services include locating other services and/or resources such as 
information resources, language or format translation, processing, credit (or 
additional credit) authorization, etc. Resources include reference databases, 
networks, high powered or specialized computing resources (the smart object may 
carry information to another computer to be efficiently processed and then return 
the information to the sending VDE installation), remote object repositories, etc. 
Smart objects can make efficient use of remote resources (e.g. centralized 
databases, super computers, etc.) while providing a secure means for charging users 
based on information and/or resources actually used, support both "translations" of 
VDE electronic agreements elements into modern language printed agreement elements 
(such as English language agreements) and translations of electronic rights 
protection/transaction management modern language agreement elements to electronic 
VDE agreement elements. This feature requires maintaining a library of textual 
language that corresponds to VDE load modules and/or methods and/or component 
assemblies. As VDE methods are proposed and/or employed for VDE agreements, a 
listing of textual terms and conditions can be produced by a VDE user application 
which, in a preferred embodiment, provides phrases, sentences and/or paragraphs 
that have been stored and correspond to said methods and/or assemblies. This 
feature preferably employs artificial intelligence capabilities to analyze and 
automatically determine, and/or assist one or more users to determine, the proper 
order and relationship between the library elements corresponding to the chosen 
methods and/or assemblies so as to compose some or all portions of a legal or 
descriptive document. One or more users, and/or preferably an attorney (if the 
document a legal, binding agreement), would review the generated document material 
upon completion and employ such additional textual information and/or editing as 
necessary to describe non electronic transaction elements of the agreement and make 
any other improvements that may be necessary. These features further support 
employing modern language tools that allow one or more users to make selections 
from choices and provide answers to questions and to produce a VDE electronic 
agreement from such a process. This process can be interactive and the VDE 
agreement formulation process may employ artificial intelligence expert system 
technology that learns from responses and, where appropriate and based at least in 
part on said responses, provides further choices and/or questions which "evolves" 
the desired VDE electronic agreement, support the use of multiple VDE secure 
subsystems in a single VDE installation. Various security and/or performance 
advantages may be realized by employing a distributed VDE design within a single 
VDE installation. For example, designing a hardware based VDE secure subsystem into 
an electronic appliance VDE display device, and designing said subsystem 1 s 
integration with said display device so that it is as close as possible to the 
point of display, will increase the security for video materials by making it 
materially more difficult to "steal" decrypted video information as it moves from 
outside to inside the video system. Ideally, for example, a VDE secure hardware 
module would be in the same physical package as the actual display monitor, such as 
within the packaging of a video monitor or other display device, and such device 
would be designed, to the extent commercially practical, to be as tamper resistant 
as reasonable. As another example embedding a VDE hardware module into an I/O 
peripheral may have certain advantages from the standpoint of overall system 
throughput. If multiple VDE instances are employed within the same VDE 
installation, these instances will ideally share resources to the extent practical, 
such as VDE instances storing certain control information and content and/or 
appliance usage information on the same mass storage device and in the same VDE 
management database, requiring reporting and payment compliance by employing 
exhaustion of budgets and time ageing of keys. For example, a VDE commercial 
arrangement and associated content control information may involve a content 
provider's content and the use of clearinghouse credit for payment for end-user 
usage of said content. Control information regarding said arrangement may be 
delivered to a user's (of said content) VDE installation and/or said financial 
clearinghouse's VDE installation. Said control information might require said 
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clearinghouse to prepare and telecommunicate to said content provider both content 
usage based information in a certain form, and content usage payment in the form of 
electronic credit {such credit might be "owned" by the provider after receipt and 
used in lieu of the availability or adequacy of electronic currency) and/or 
electronic currency. This delivery of information and payment may employ trusted 
VDE installation secure subsystems to securely, and in some embodiments, 
automatically, provide in the manner specified by said control information, said 
usage information and payment content. Features of the present invention help 
ensure that a requirement that a clearinghouse report such usage information and 
payment content will be observed. For example, if one participant to a VDE 
electronic agreement fails to observe such information reporting and/or paying 
obligation, another participant can stop the delinquent party from successfully 
participating in VDE activities related to such agreement. For example, if required 
usage information and payment was not reported as specified by content control 
information, the "injured" party can fail to provide, through failing to securely 
communicate from his VDE installation secure subsystem, one or more pieces of 
secure information necessary for the continuance of one or more critical processes. 
For example, failure to report information and/or payment from a clearinghouse to a 
content provider (as well as any security failures or other disturbing 
irregularities) can result in the content provider not providing key and/or budget 
refresh information to the clearinghouse, which information can be necessary to 
authorize use of the clearinghouse's credit for usage of the provider's content and 
which the clearinghouse would communicate to end-user's during a content usage 
reporting communication between the clearinghouse and end-user. As another example, 
a distributor that failed to make payments and/or report usage information to a 
content provider might find that their budget for creating permissions records to 
distribute the content provider's content to users, and/or a security budget 
limiting one or more other aspect of their use of the provider's content, are not 
being refreshed by the content provider, once exhausted or timed-out (for example, 
at a predetermined date) . In these and other cases, the offended party might decide 
not to refresh time ageing keys that had "aged out." Such a use of time aged keys 
has a similar impact as failing to refresh budgets or time-aged authorizations, 
support smart card implementations of the present invention in the form of portable 
electronic appliances, including cards that can be employed as secure credit, 
banking, and/or money cards. A feature of the present invention is the use of 
portable VDEs as transaction cards at retail and other establishments, wherein such 
cards can "dock" with an establishment terminal that has a VDE secure sub-system 
and/or an online connection to a VDE secure and/or otherwise secure and compatible 
subsystem, such as a "trusted" financial clearinghouse (e.g., VISA, Mastercard). 
The VDE card and the terminal (and/or online connection) can securely exchange 
information related to a transaction, with credit and/or electronic currency being 
transferred to a merchant and/or clearinghouse and transaction information flowing 
back to the card. Such a card can be used for transaction activities of all sorts. 
A docking station, such as a PCMCIA connector on an electronic appliance, such as a 
personal computer, can receive a consumer's VDE card at home. Such a station/card 
combination can be used for on-line transactions in the same manner as a VDE 
installation that is permanently installed in such an electronic appliance. The 
card can be used as an "electronic wallet" and contain electronic currency as well 
as credit provided by a clearinghouse. The card can act as a convergence point for 
financial activities of a consumer regarding many, if not all, merchant, banking, 
and on-line financial transactions, including supporting home banking activities. A 
consumer can receive his paycheck and/or investment earnings and/or "authentic" VDE 
content container secured detailed information on such receipts, through on-line 
connections. A user can send digital currency to another party with a VDE 
arrangement, including giving away such currency. A VDE card can retain details of 
transactions in a highly secure and database organized fashion so that financially 
related information is both consolidated and very easily retrieved and/or analyzed. 
Because of the VDE security, including use of effective encryption, authentication, 
digital signaturing, and secure database structures, the records contained within a 
VDE card arrangement may be accepted as valid transaction records for government 
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and/or corporate recordkeeping requirements. In some embodiments of the present 
invention a VDE card may employ docking station and/or electronic appliance storage 
means and/or share other VDE arrangement means local to said appliance and/or 
available across a network, to augment the information storage capacity of the VDE 
card, by for example, storing dated, and/or archived, backup information. Taxes 
relating to some or all of an individual's financial activities may be 
automatically computed based on "authentic" information securely stored and 
available to said VDE card. Said information may be stored in said card, in said 
docking station, in an associated electronic appliance, and/or other device 
operatively attached thereto, and/or remotely, such as at a remote server site. A 
card's data, e.g. transaction history, can be backed up to an individual's personal 
computer or other electronic appliance and such an appliance may have an integrated 
VDE installation of its own. A current transaction, recent transactions (for 
redundancy) , or all or other selected card data may be backed up to a remote backup 
repository, such a VDE compatible repository at a financial clearinghouse, during 
each or periodic docking for a financial transaction and/or information 
communication such as a user/merchant transaction. Backing up at least the current 
transaction during a connection with another party's VDE installation (for example 
a VDE installation that is also on a financial or general purpose electronic 
network) , by posting transaction information to a remote clearinghouse and/or bank, 
can ensure that sufficient backup is conducted to enable complete reconstruction of 
VDE card internal information in the event of a card failure or loss, support 
certification processes that ensure authorized interoperability between various VDE 
installations so as to prevent VDE arrangements and/or installations that 
unacceptably deviate in specification protocols from other VDE arrangements and/or 
installations from interoperating in a manner that may introduce security 
(integrity and/or confidentiality of VDE secured information), process control, 
and/or software compatibility problems. Certification validates the identity of VDE 
installations and/or their components, as well as VDE users. Certification data can 
also serve as information that contributes to determining the decommissioning or 
other change related to VDE sites . support the separation of fundamental 
transaction control processes through the use of event (triggered) based method 
control mechanisms. These event methods trigger one or more other VDE methods 
(which are available to a secure VDE sub-system) and are used to carry out VDE 
managed transaction related processing. These triggered methods include 
independently (separably) and securely processable component billing management 
methods, budgeting management methods, metering management methods, and related 
auditing management processes. As a result of this feature of the present 
invention, independent triggering of metering, auditing, billing, and budgeting 
methods, the present invention is able to efficiently, concurrently support 
multiple financial currencies (e.g. dollars, marks, yen) and content related 
budgets, and/or billing increments as well as very flexible content distribution 
models, support, complete, modular separation of the control structures related to 
(1) content event triggering, (2) auditing, (3) budgeting (including specifying no 
right of use or unlimited right of use), (4) billing, and (5) user identity (VDE 
installation, client name, department, network, and/or user, etc.). The 
independence of these VDE control structures provides a flexible system which 
allows plural relationships between two or more of these structures, for example, 
the ability to associate a financial budget with different event trigger structures 
(that are put in place to enable controlling content based on its logical 
portions) . Without such separation between these basic VDE capabilities, it would 
be more difficult to efficiently maintain separate metering, budgeting, 
identification, and/or billing activities which involve the same, differing 
(including overlapping) , or entirely different, portions of content for metering, 
billing, budgeting, and user identification, for example, paying fees associated 
with usage of content, performing home banking, managing advertising services, etc. 
VDE modular separation of these basic capabilities supports the programming of 
plural, "arbitrary" relationships between one or differing content portions (and/or 
portion units) and budgeting, auditing, and/or billing control information. For 
example, under VDE, a budget limit of $200 dollars or 300 German Marks a month may 
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be enforced for decryption of a certain database and 2 U.S. Dollars or 3 German 
Marks may be charged for each record of said database decrypted (depending on user 
selected currency) . Such usage can be metered while an additional audit for user 
profile purposes can be prepared recording the identity of each filed displayed. 
Additionally, further metering can be conducted regarding the number of said 
database bytes that have been decrypted, and a related security budget may prevent 
the decrypting of more than 5% of the total bytes of said database per year. The 
user may also, under VDE (if allowed by senior control information), collect audit 
information reflecting usage of database fields by different individuals and client 
organization departments and ensure that differing rights of access and differing 
budgets limiting database usage can be applied to these client individuals and 
groups. Enabling content providers and users to practically employ such diverse 
sets of user identification, metering, budgeting, and billing control information 
results, in part, from the use of such independent control capabilities. As a 
result, VDE can support great configurability in creation of plural control models 
applied to the same electronic property and the same and/or plural control models 
applied to differing or entirely different content models (for example, home 
banking versus electronic shopping) . 

Brief Summary Text - BSTX (108) : 

A feature of VDE provided by the present invention is that certain one or more 
methods can be specified as required in order for a VDE installation and/or user to 
be able to use certain and/or all content. For example, a distributor of a certain 
type of content might be allowed by "senior" participants (by content creators, for 
example) to require a method which prohibits end-users from electronically saving 
decrypted content, a provider of credit for VDE transactions might require an audit 
method that records the time of an electronic purchase, and/or a user might require 
a method that summarizes usage information for reporting to a clearinghouse (e.g. 
billing information) in a way that does not convey confidential, personal 
information regarding detailed usage behavior. 

Brief Summary Text - BSTX (112) : 

Control information may be provided by a party who does not directly participate 
in the handling of electronic content (and/or appliance) and/or control information 
for such content (and/or appliance) . Such control information may be provided in 
secure form using VDE installation secure sub-system managed communications 
(including, for example, authenticating the deliverer of at least in part encrypted 
control information) between such not directly participating one or more parties 1 
VDE installation secure subsystems, and a pathway of VDE content control 
information participant's VDE installation secure subsystem. This control 
information may relate to, for example, the right to access credit supplied by a 
financial services provider, the enforcement of regulations or laws enacted by a 
government agency, or the requirements of a customer of VDE managed content usage 
information (reflecting usage of content by one or more parties other than such 
customer) relating to the creation, handling and/or manner of reporting of usage 
information received by such customer. Such control information may, for example, 
enforce societal requirements such as laws related to electronic commerce. 

Brief Summary Text - BSTX (115) : 

Normally, most usage, audit, reporting, payment, and distribution control 
methods are themselves at least in part encrypted and are executed by the secure 
subsystem of a VDE installation. Thus, for example, billing and metering records 
can be securely generated and updated, and encryption and decryption keys are 
securely utilized, within a secure subsystem. Since VDE also employs secure (e.g. 
encrypted and authenticated) communications when passing information between the 
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participant location (nodes) secure subsystems of a VDE arrangement, important 
components of a VDE electronic agreement can be reliably enforced with sufficient 
security (sufficiently trusted) for the intended commercial purposes. A VDE 
electronic agreement for a value chain can be composed, at least in part, of one or 
more subagreements between one or more subsets of the value chain participants. 
These subagreements are comprised of one or more electronic contract "compliance" 
elements (methods including associated parameter data) that ensure the protection 
of the rights of VDE participants. 

Brief Summary Text - BSTX (117) : 

The updating of property management files ,at each location of a VDE arrangement, 
to accommodate new or modified control information, is performed in the VDE secure 
subsystem and under the control of secure management file updating programs 
executed by the protected subsystem. Since all secure communications are at least 
in part encrypted and the processing inside the secure subsystem is concealed from 
outside observation and interference, the present invention ensures that content 
control information can be enforced. As a result, the creator and/or distributor 
and/or client administrator and/or other contributor of secure control information 
for each property (for example, an end-user restricting the kind of audit 
information he or she will allow to be reported and/or a financial clearinghouse 
establishing certain criteria for use of its credit for payment for use of 
distributed content) can be confident that their contributed and accepted control 
information will be enforced (within the security limitations of a given VDE 
security implementation design) . This control information can determine, for 
example: (1) How and/or to whom electronic content can be provided, for example, 
how an electronic property can be distributed; (2) How one or more objects and/or 
properties, or portions of an object or property, can be directly used, such as 
decrypted, displayed, printed, etc; (3) How payment for usage of such content 
and/or content portions may or must be handled; and (4) How audit information about 
usage information related to at least a portion of a property should be collected, 
reported, and/or used. 

Brief Summary Text - BSTX (124) : 

Electronic agreements supported by the preferred embodiment of the present 
invention can vary from very simple to very elaborate. They can support widely 
diverse information management models that provide for electronic information 
security, usage administration, and communication and may support: (a) secure 
electronic distribution of information, for example commercial literary properties, 
(b) secure electronic information usage monitoring and reporting, (c) secure 
financial transaction capabilities related to both electronic information and/or 
appliance usage and other electronic credit and/or currency usage and 
administration capabilities, (d) privacy protection for usage information a user 
does not wish to release, and (e) "living" electronic information content 
dissemination models that flexibly accommodate: (1) a breadth of participants, (2) 
one or more pathways (chains) for: the handling of content, content and/or 
appliance control information, reporting of content and/or appliance usage related 
information, and/or payment, (3) supporting an evolution of terms and conditions 
incorporated into content control information, including use of electronic 
negotiation capabilities, (4) support the combination of multiple pieces of content 
to form new content aggregations, and (5) multiple concurrent models. 

Brief Summary Text - BSTX (126) : 

An important part of VDE provided by the present invention is the core secure 
transaction control arrangement, herein called an SPU (or SPUs) , that typically 
must be present in each user's computer, other electronic appliance, or network. 
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SPUs provide a trusted environment for generating decryption keys, encrypting and 
decrypting information, managing the secure communication of keys and other 
information between electronic appliances (i.e. between VDE installations and/or 
between plural VDE instances within a single VDE installation), securely 
accumulating and managing audit trail, reporting, and budget information in secure 
and/or non-secure non-volatile memory, maintaining a secure database of control 
information management instructions, and providing a secure environment for 
performing certain other control and administrative functions. 

Detailed Description Text - DETX (11) : 

For example, video production studio 204 might release a half-hour exercise 
video in the hope that as many viewers as possible will view it. The video 
production studio 204 wishes to receive $2.00 per viewing. Video production studio 
204 may, through information utility 200, make the exercise video available in 
protected" form to all consumers 206, 208, 210. Video production studio 204 may 
also provide "rules and controls" for the video. These "rules and controls" may 
specify for example: (1) any consumer who has good credit of at least $2.00 based 
on a credit account with independent financial provider 212 (such as Mastercard or 
VISA) may watch the video, (2) virtual distribution environment 100 will "meter" 
each time a consumer watches the video, and report usage to video production studio 
204 from time to time, and (3) financial provider 212 may electronically collect 
payment ($2.00) from the credit account of each consumer who watches the video, and 
transfer these payments to the video production studio 204. 

Detailed Description Text - DETX (17) : 

Information utility 200 may include a "transaction processor" 200b that 
processes transactions (to transfer electronic funds, for example) based on 
requests from participants and/or report receiver 200e. It may also include a 
"usage analyst" 200c that analyzes reported usage information. A " report creator" 
200d may create reports based on usage for example, and may provide these reports 
to outside participants and/or to participants within information utility 200. A 
" report receiver" 200e may receive reports such as usage reports from content 
users. A "permissioning agent" 200f may distribute "rules and controls" granting 
usage or distribution permissions based on a profile of a consumer's credit 
worthiness, for example. An administrator 200h may provide information that keeps 
the virtual distribution environment 100 operating properly. A content and message 
storage 200g may store information for use by participants within or outside of 
information utility 200. 

Detailed Description Text - DETX (23) : 

In this FIG. 2 example, information relating to content use is, as shown by 
arrow 114, reported to a financial clearinghouse 116. Based on this " reporting, " 
the financial clearinghouse 116 may generate a bill and send it to the content user 
112 over a " reports and payments" network 118. Arrow 120 shows the content user 112 
providing payments for content usage to the financial clearinghouse 116. Based on 
tn e reports and payments it receives, the financial clearinghouse 116 may provide 
reports and/or payments to the distributor 106. The distributor 106 may, as shown 
by arrow 122, provide reports and/or payments to the content creator 102. The 
clearinghouse 116 may provide, reports and payments directly to the creator 102. 
Reporting and/or payments may be done differently. For example, clearinghouse 116 
may directly or through an agent, provide reports and/or payments to each of VDE 
content creators 102, and rights distributor 106, as well as reports to content 
user 112. 

Detailed Description Text - DETX (27) : 
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The virtual distribution environment 100 prevents use of protected information 
except as permitted by the "rules and controls" {control information) . For example, 
the "rules and controls" shown in FIG. 2 may grant specific individuals or classes 
of content users 112 "permission" to use certain content. They may specify what 
kinds of content usage are permitted, and what kinds are not. They may specify how 
content usage is to be paid for and how much it costs. As another example, "rules 
and controls" may require content usage information to be reported back to the 
distributor 106 and/or content creator 102. 

Detailed Description Text - DETX (28) : 

Every VDE participant in "chain of handling and control" is normally subject to 
"rules and controls." "Rules and controls" define the respective rights and 
obligations of each of the various VDE participants. "Rules and controls" provide 
information and mechanisms that may establish interdependencies and relationships 
between the participants. "Rules and controls" are flexible, and permit "virtual 
distribution environment" 100 to support most "traditional" business transactions. 
For example: "Rules and controls" may specify which financial clearinghouse (s ) 116 
may process payments, "Rules and controls" may specify which participant ( s ) receive 
what kind of usage report, and "Rules and controls" may specify that certain 
information is revealed to certain participants, and that other information is kept 
secret from them. 

Detailed Description Text - DETX (31) : 

Rules and controls" can be used to protect the content user's privacy by 
limiting the information that is reported to other VDE participants. As one 
example, "rules and controls" can cause content usage information to be reported 
anonymously without revealing content user identity, or it can reveal only certain 
information to certain participants (for example, information derived from usage) 
with appropriate permission, if required. This ability to securely control what 
information is revealed and what VDE participant { s ) it is revealed to allows the 
privacy rights of all VDE participants to be protected. 

Detailed Description Text - DETX (35) : 

The virtual distribution environment 100 also allows payment and reporting means 
to be delivered separately. For example, the content user 112 may have a virtual 
"credit card" that extends credit (up to a certain limit) to pay for usage of any 
content. A "credit transaction" can take place at the user's site without requiring 
any "online" connection or further authorization. This invention can be used to 
help securely protect the virtual "credit card" against unauthorized use. 

Detailed Description Text - DETX (39) : 

"Meter" process 404 keeps track of events, and may report usage to distributor 
106 and/or other appropriate VDE participant (s) . FIG. 4 shows that process 404 can 
be based on a number of different factors such as: (a) type of usage to charge for, 
(b) what kind of unit to base charges on, (c) how much to charge per unit, (d) when 
to report, and (e) how to pay. 

Detailed Description Text - DETX (41) : 

Billing process 406 determines how much to charge for events. It records and 
reports payment information. 

Detailed Description Text - DETX (42) : 
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Budget process 408 limits how much content usage is permitted. For example, 
budget process 4 08 may limit the number of times content may be accessed or copied, 
or it may limit the number of pages or other amount of content that can be used 
based on, for example, the number of dollars available in a credit account. Budget 
process 408 records and reports financial and other transaction information 
associated with such limits. 

Detailed Description Text - DETX (205) : 

Method core 1000 1 may be parameterized by an "event code" to permit it to 
respond to different events in different ways. For example, a METER method may 
respond to a "use" event by storing usage information in a meter data structure. 
The same METER method may respond to an "administrative" event by reporting the 
meter data structure to a VDE clearinghouse or other VDE participant. 

Detailed Description Text - DETX (436) : 

This information may be analyzed to detect cracking attempts or to determine 
patterns of usage outside expected (and budgeted) norms. The audit trail histories 
in the SPU 500 may be retained until the audit is reported to the appropriate 
parties. This will allow both legitimate failure analysis and attempts to 
cryptoanalyze the SPU to be noted. 

Detailed Description Text - DETX (438) : 

There are two basic structures for which summary services are used in the 
preferred embodiment. One (the "event summary data structure") is VDE administrator 
specific and keeps track of events. The event summary structure may be maintained 
and audited during periodic contact with VDE administrators; The other is used by 
VDE administrators and/or distributors for overall budget. A VDE administrator may 
register for event summaries and an overall budget summary at the time an 
electronic appliance 600 is initialized. The overall budget summary may be reported 
to and used by a VDE administrator in determining distribution of consumed budget 

(for example) in the case of corruption of secure management files 610. 
Participants that receive appropriate permissions can register their processes 

(e.g., specific budgets) with summary services manager 560, which may then reserve 
protected memory space (e.g., within NVRAM 534b) and keep desired use and/or access 
parameters. Access to and modification of each summary can be controlled by its own 
access tag. 

Detailed Description Text - DETX (491) : 

"Traveling" objects are a class of VDE objects 300 that can specifically support 
"out of channel" distribution. Therefore, they include key block (s) 810 and are 
transportable from one electronic appliance 600 to another. Traveling objects may 
come with a quite limited usage related budget so that a user may use, in whole or 
part, content (such as a computer program, game, or database) and evaluate whether 
to acquire a license or further license or purchase object content. Alternatively, 
traveling object PERCs 808 may contain or reference budget records with, for 
example: (a) budget (s) reflecting previously purchased rights or credit for future 
licensing or purchasing and enabling at least one or more types of object content 
usage, and/or (b) budget (s) that employ (and may debit) available credit (s) stored 
on and managed by the local VDE node in order to enable object content use, and/or 
(c) budget (s) reflecting one or more maximum usage criteria before a report to a 
local VDE node (and, optionally, also a report to a clearinghouse) is required and 
which may be followed by a reset allowing further usage, and/or modification of one 
or more of the original one or more budget (s). 
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Detailed Description Text - DETX (511) : 

FIG. 21 shows an example of an administrative object structure 870 provided by 
the preferred embodiment. An "administrative object" generally contains 
permissions, administrative control information, computer software and/or methods 
associated with the operation of VDE 100. Administrative objects may also or 
alternatively contain records of use, and/or other information used in, or related 
to, the operation of VDE 100. An administrative object may be distinguished from a 
content object by the absence of VDE protected "content" for release to an end user 
for example. Since objects may contain other objects, it is possible for a single 
object to contain one or more content containing objects and one or more 
administrative objects. Administrative objects may be used to transmit information 
between electronic appliances for update, usage reporting, billing and/or control 
purposes. They contain information that helps to administer VDE 100 and keep it 
operating properly. Administrative objects generally are sent between two VDE 
nodes, for example, a VDE clearinghouse service, distributor, or client 
administrator and an end user's electronic appliance 600. 

Detailed Description Text - DETX (530) : 

Referring once again to FIG. 22, method event table 1006 may in the preferred 
embodiment include from 1 to N method event records 1012. Each of these method 
event records 1012 corresponds to a different event the method 1000 represented by 
method core 1000 1 may respond to. Methods 1000 in the preferred embodiment may have 
completely different behavior depending upon the event they respond to. For 
example, an AUDIT method may store information in an audit trail UDE 1200 in 
response to an event corresponding to a user's use of an object or other resource. 
This same AUDIT method may report the stored audit trail to a VDE administrator or 
other participant in response to an administrative event such as, for example, a 
timer expiring within a VDE node or a request from another VDE participant to 
report the audit trail. In the preferred embodiment, each of these different events 
may be represented by an "event code." This "event code" may be passed as a 
parameter to a method when the method is called, and used to "look up" the 
appropriate method event record 1012 within method event table 1006. The selected 
method event record 1012, in turn, specifies the appropriate information (e.g., 
load module(s) 1100, data element UDE(s) and MDE(s) 1200, 1202, and/or PERC(s) 808) 
used to construct a component assembly 690 for execution in response to the. event 
that has occurred. 

Detailed Description Text - DETX (663) : 

The need to back up secure database 610 may be checked at power on of electronic 
appliance 600, when SPE 503 is initially invoked, at periodic time intervals, and 
if "audit roll up" value or other summary services information maintained by SPE 
503 exceeds a user set or other threshold, or triggered by criteria established by 
one or more content publishers and/or distributors and/or clearinghouse service 
providers and/or users. The user may be prompted to backup if she has failed to do 
so by or at some certain point in time or after a certain duration of time or 
quantity of usage, or the backup may proceed automatically without user 
intervention . 

Detailed Description Text - DETX (678) : 

The VDE administrator may then compute bills based on the recovered values 
(block 1280), and perform other actions to recover from SPU downtime (block 1282). 
Typically, the goal is to bill the user and adjust other VDE 100 values pertaining 
to the failed electronic appliance 600 for usage that occurred subsequent to the 
last backup but prior to the failure. This process may involve the VDE 
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administrator obtaining, from other VDE participants, reports and other information 
pertaining to usage by the electronic appliance prior to its failure and comparing 
it to the secure database backup to determine which usage and other events are not 
yet accounted for. 

Detailed Description Text - DETX (737) : 

METER method 404 may store an audit record in a meter "trail" UDE 1200, for 
example, and may also record information related to the event in a meter UDE 1200. 
For example, METER method 4 04 may increment or decrement a "meter" value within a 
meter UDE 1200 each time content is accessed. The two different data structures 
(meter UDE and meter trail UDE) may be maintained to permit record keeping for 
reporting purposes to be maintained separately from record keeping for internal 
operation purposes, for example. 

Detailed Description Text - DETX (780) : 

FIG. 53a is a flowchart of example process control steps provided by a more 
general example of an EVENT method 194 0 provided by the preferred embodiment. 
Examples of EVENT methods are set forth in FIGS. 4 9b, 50b and 51b and are described 
above. EVENT method 1940 shown in FIG. 53a is somewhat more generalized than the 
examples above. Like the EVENT method examples above, EVENT method 194 0 receives an 
identification of the event along with an event count and event parameters. EVENT 
method 1940 may first prime an EVENT audit trail (if required) by writing 
appropriate information to an EVENT method Audit Trail UDE (blocks 1942, 1944). 
EVENT method 1940 may then obtain and load an EVENT method map DTD from the secure 
database (blocks 1946, 1948) . This EVENT method map DTD describes, in this example, 
the format of the EVENT method map MDE- to be read and accessed immediately 
subsequently (by blocks 1950, 1952) . In the preferred embodiment, MDEs and UDEs may 
have any of various different formats, and their formats may be flexibly specified 
or changed dynamically depending upon the installation, user, etc. The DTD, in 
effect, describes to the EVENT method 1940 how to read from the EVENT method map 
MDE. DTDs are also used to specify how methods should write to MDEs and UDEs, and 
thus may be used to implement privacy filters by, for example, preventing certain 
confidential user information from being written to data structures that will be 
reported to third parties. 

Detailed Description Text - DETX (987) : 

When an electronic appliance 600 receives a component assembly, an encrypted 
part of the assembly may contain a value that is known only to the party or PPE 650 
that supplied the assembly. This value may be saved with information that must 
eventually returned to the assembly supplier (e.g., audit, billing and related 
information) . When a component supplier requests that information be reported, the 
value may be provided by the supplier so that the local electronic appliance 600 
can check it against the originally supplied value to ensure that the request is 
legitimate. When a new component is received, the value may be checked against an 
old component to determine whether the new component is legitimate (e.g., the new 
value for use in the next report process may be included with the new component) . 

Detailed Description Text - DETX (1001) : 

Finally, the end-to-end nature of VDE applications, in which content 108 flows 
in one direction, generating reports and bills 118 in the other, makes it possible 
to perform "back-end" consistency checks. Such checks, performed in clearinghouses 
116, can detect patterns of use that may or do indicate fraud (e.g., excessive 
acquisition of protected content without any corresponding payment, usage records 
without corresponding billing records). The fine grain of usage reporting and the 
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ready availability of usage records and reports in electronic form enables 
sophisticated fraud detection mechanisms to be built so that fraud-related costs 
can be kept to an acceptable level. 

Detailed Description Text - DETX (1005) : 

If the initialization process 1370 is being performed at the manufacturer, PPE 
650 may first be attached to a testbed. The manufacturing testbed may first reset 
the PPE 650 (e.g., with a power on clear) (Block 1372). If this reset is being 
performed at the manufacturer, then the PPE 650 preferably executes a special 
testbed bootstrap code that completely tests the PPE operation from a software 
standpoint and fails if something is wrong with the PPE. A secure communications 
exchange may then be established between the manufacturing testbed and the PPE 650 
using an initial challenge-response interaction (Block 1374) that is preferably 
provided as part of the testbed bootstrap process. Once this secure communications 
has been established, the PPE 650 may report the results of the bootstrap tests it 
has performed to the manufacturing testbed. Assuming the PPE 650 has tested 
successfully, the manufacturing testbed may download new code into the PPE 650 to 
update its internal bootstrap code (Block 1376) so that it does not go through the 
testbed bootstrap process upon subsequent resets (Block 1376) . The manufacturing 
testbed may then load new firmware into the PPE internal non-volatile memory in 
order to provide additional standard and/or customized capabilities (Block 1378). 
For example, the manufacturing testbed may preload PPE 650 with the load modules 
appropriate for the particular manufacturing lot. This step permits the PPE 500 to 
be customized at the factory for specific applications. 

Detailed Description Text - DETX (1054) : 

Retail, clearinghouse, or other commercial organizations may maintain and use by 
securely communicating to appliance 2600 one or more of generic classifications of 
transaction types (for example, as specified* by government taxation rules) that can 
be used to automate the parsing of information into records and/or for database 
information "roll-ups" for; and/or in portable appliance 2600 or one or more 
associated VDE nodes. In such instances, host 2608 may comprise an auxiliary 
terminal, for example, or it could comprise or be incorporated directly within a 
commercial establishments cash registers or other retail transactions devices. The 
auxiliary terminal could be menu and/or icon driven, and allow very easy user 
selection of categorization. It could also provide templates, based on transaction 
type, that could guide the user through specifying useful or required transaction 
specific information (for example, purpose for a business dinner and/or who 
attended the dinner) . For example, a user might select a business icon, then select 
from travel, sales, meals, administration, or purchasing icons for example, and 
then might enter in very specific information and/or a key word, or other code that 
might cause the downloading of a transaction's detail into the portable appliance 
2600. This information might also be stores by the commercial establishment, and 
might also be communicated to the appropriate government and/or business 
organizations for validation of the reported transactions. (the high level of 
security of auditing and communications and authentication and validation of VDE 
should be sufficiently trusted so as not to require the maintenance of a parallel 
audit history, but parallel maintenance may be supported, and maintained at least 
for a limited period of time so as to provide backup information in the event of 
loss or "failure" of portable appliance 2600 and/or one or more appliance 2600 
associated VDE installations employed by appliance 2600 for historical and/or 
status information record maintenance) . For example, of a retail terminal 
maintained necessary transaction information concerning a transaction involving 
appliance 2600, it could communicate such information to a clearinghouse for 
archiving (and/or other action) or it could periodically, for example, at the end 
of a business day, securely communicate such information, for example, in the form 
of a VDE content container object, to a clearinghouse or clearinghouse agent. Such 
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transaction history (and any required VDE related status information such as 
available credit) can be maintained and if necessary, employed to reconstruct the 
information in a portable appliance 2600 so as to allow a replacement appliance to 
be provided to an appliance 2600 user or properly reset internal information in 
data wherein such replacement and/or resetting provides all necessary transaction 
and status information. 

Detailed Description Text - DETX (1063) : 

The portable appliance 2600 or other VDE electronic appliance 600, can, in one 
embodiment, also automate many tax collection functions. A VDE electronic appliance 
600 may, with great security, record financial transactions, identify the nature of 
the transaction, and identify the required sales or related government transaction 
taxes, debit the taxes from the users available credit, and securely communicate 
this information to one or more government agencies directly at some interval (for 
example monthly), and/or securely transfer this information to, for example, a 
financial clearinghouse, which would then transfer one or more secure, encrypted 
(or unsecure, calculated by clearinghouse, or otherwise computed) information audit 
packets (e.g., VDE content containers and employing secure VDE communication 
techniques) to the one or more appropriate, participating government agencies. The 
overall integrity and security of VDE . 100 could ensure, in a coherent and 
centralized manner, that electronic reporting of tax related information (derived 
from one or more electronic commerce activities) would be valid and comprehensive. 
It could also act as a validating source of information on the transfer of sales 
tax collection (e.g., if, for example, said funds are transferred directly to the 
government by a commercial operation and/or transferred in a manner such that 
reported tax related information cannot be tampered with by other parties in a VDE 
pathway of tax information handling) . A government agency could select transactions 
randomly, or some subset or all of the reported transactions for a given commercial 
operation can be selected. This could be used to ensure that the commercial 
operation is actually paying to the government all appropriate* collected funds 
required for taxes, and can also ensure that end-users are charged appropriate 
taxes for their transactions (including receipt of interest from bank accounts, 
investments, gifts, etc. 

Detailed Description Text - DETX (1066) : 

As described above, the User Modification Exception Interface 686 may be a set 
of user interface programs for handling common VDE functions. These applications 
may be forms of VDE templates and are designed based upon certain assumptions 
regarding important options, specifically, appropriate to a certain VDE user model 
and important messages that must be reported given certain events A primary 
function of the "pop-up" user interface 686 is to provide a simple, consistent user 
interface to, for example, report metering events and exceptions (e.g., any 
condition for which automatic processing is either impossible or arguably 
undesirable) to the user, to enable the user to configure certain aspects of the 
operation of her electronic appliance 600 and, when appropriate, to allow the user 
to interactively control whether to proceed with certain transaction processes. If 
an object contains an exception handling method, that method will control how the 
"pop-up" user interface 686 handles specific classes of exceptions. 

Detailed Description Text - DETX (1153) : 

Since the end-user 112 is the ultimate consumer of content in this example, VDE 
100 is designed to provide protected content in a seamless and transparent way — so 
long as the end-user stays within the limits of the permissions she has received. 
The activities of end-user 112 can be metered so that an audit can be conducted by 
distributors 106. The auditing process may be filtered and/or generalized to 
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satisfy user privacy concerns. For example, metered, recorded VDE content and/or 
appliance usage information may be filtered prior to reporting it to distributor 
106 to prevent more information than necessary from being revealed about content 
user 112 and/or her usage. 

Detailed Description Text - DETX (1168) : 

A VDE node electronic appliance 600 may receive and process audit records on 
behalf of an object provider if that VDE node receives any necessary administrative 
budget, audit method, and audit key information (used, for example, to decrypt 
audit trails), from the object provider. An auditing-capable VDE electronic 
appliance 600 may control execution of audit reduction methods. "Audit reduction" 
in the preferred embodiment is the process of extracting information from audit 
records and/or processes that an object provider (e.g., any object provider along a 
chain of handling of the object) has specified to be reported to an object's 
distributors, object creators, client administrators, and/or any other user of 
audit information. This may include, for example, advertisers who may be required 
to pay for a user's usage of object content. In one embodiment, for example, a 
clearinghouse can have the ability to "append" budget, audit method, and/or audit 
key information to an object or class or other grouping of objects located at a 
user site or located at an object provider site to ensure that desired audit 
processes will take place in a "trusted" fashion. A participant in a chain of 
handling of a VDE content container and/or content container control information 
object may act as a "proxy" for another party in a chain of handling of usage 
auditing information related to usage of object content (for example a 
clearinghouse, an advertiser, or a party interested in market survey and/or 
specific customer usage information). This may be done. by specifying, for that 
other party, budget, audit method, and/or key information that may be necessary to 
ensure audit information is gathered and/or provided to, in a proper manner, said 
additional party. For example, employing specification information provided by said 
other party. 

Detailed Description Text - DETX (1234) : 

A content creator or other content control information provider may budget a 
user (such as a distributor) to create an unlimited number of permissions records 
for a content object, but revoke this right and/or other important usage rights 
through an expiration/termination process if the user does not report his usage 
(provide an audit report ) at some expected one or more points in time and/or after 
a certain interval of time (and/or if the user fails to pay for his usage or 
violates other aspects of the agreement between the user and the content provider) . 
This termination (or suspension or other specified consequence) can be enforced, 
for example, by the expiration of time-aged encryption keys which were employed to 
encrypt one or more aspects of control information. This same termination (or other 
specified consequence such as budget reduction, price increase, message displays on 
screen to users, messages to administrators, etc. ) can also be the consequence of 
the failure by a user or the users VDE installation to complete a monitored 
process, such as paying for usage in electronic currency, failure to perform 
backups of important stored information (e.g., content and/or appliance usage 
information, control information, etc.), failure to use a repeated failure to use 
the proper passwords or other identifiers, etc.). 

Detailed Description Text - DETX (1235) : 

Generally, the collection of audit information that is collected for reporting 
to a certain auditor can be enforced by expiration and/or other termination 
processes. For example, the user's VDE node may be instructed (a) from an external 
source to no longer perform certain tasks, (b) carries within its control structure 



http://127.0.0.1:4343/C:/^ 1/21/04 



DOCUMENT-IDENTIFIER: US 6363488 Bl 



Page 32 of 45 



information informing it to no longer perform certain tasks, or (c) is elsewise no 
longer able to perform certain tasks. The certain tasks might comprise one or more 
enabling operations due to a user's (or installation's) failure to either report 
said audit information to said auditor and/or receive back a secure confirmation of 
receipt and/or acceptance of said audit information. If an auditor fails to receive 
audit information from a user (or some other event fails to occur or occur 
properly), one or more time-aged keys which are used, for example, as a security 
component of an embodiment of the present invention, may have their aging suddenly 
accelerated (completed) so that one or more processes related to said time-aged 
keys can no longer be performed. 

Detailed Description Text - DETX (1238) : 

Great flexibility exists in the enforcement of audit trail requirements. For 
example, a creator (or other content provider or control information provider or 
auditor in an object's or audit report ' s chain of handling) may allow changes by an 
auditor for event trails, but not allow anyone but themselves to read those trails, 
and limit the redistribution of this right to, for example, six levels. 
Alternatively, a creator or other controlling party may give a distributor the 
right to process, for example, 100,000 audit records (and/or, for example, the 
right to process 12 audit records from a given user) before reporting their usage. 
If a creator or other controlling party desires, he may allow (and/or require) 
separate (and containing different, a subset of, overlapping, or the same 
information) audit "packets" containing audit information, certain of said audit 
information to be processed by a distributor and certain other of said audit 
information to be passed back to the creator and/or other auditors (each receiving 
the same, overlapping, a subset of; or different audit information) . Similarly, as 
long as allowed by, for example, an object creator, a distributor (or other content 
and/or control information provider) may require audit information to be passed 
back to it, for example, after every 50,000 audit records are processed (or any 
other unit of quantity and/or after a certain time interval and/or at a certain 
predetermined date) by a redistributor . In the preferred embodiment, audit rules, 
like other control structures, may be stipulated at any stage of a distribution 
chain of handling as long as the right to stipulate said rules has not been 
restricted by a more "senior" object and/or control information distributing (such 
as an auditing) participant. 

Detailed Description Text - DETX (1240) : 

An important function of an auditor (receiver of audit information) is to pass 
administrative events back to a user VDE node in acknowledgement that audit 
information has been received and/or "recognized." In the preferred embodiment, the 
receipt and/or acceptance of audit information may be followed by two processes. 
The first event will cause the audit data at a VDE node which prepared an audit 
report to be deleted, or compressed into, or added to, one or more summary values. 
The second event, or set of events, will "inform" the relevant security (for 
example, termination and/or other consequence) control information (for example, 
budgets) at said VDE node of the audit receipt, modify expiration dates, provide 
key updates, and/or etc. In most cases, these events will be sent immediately to a 
site after an audit trail is received. In some cases, this transmission may be 
delayed to, for example, first allow processing of the audit trail and/or payment 
by a user to an auditor or other party. 

Detailed Description Text - DETX (1242) : 

Delivery of audit reports through a path of handling may be in part insured by 
an inverse (return of information) audit method. Many VDE methods have at least two 
pieces: a portion that manages the process of producing audit information at a 
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user's VDE node; and a portion that subsequently acts on audit data. In an example 
of the handling of audit information bound for a plurality of auditors, a single 
container object is received at a clearinghouse (or other auditor) . This container 
may contain (a) certain encrypted audit information that is for the use of the 
clearinghouse itself, and (b) certain other encrypted audit information bound for 
other one or more auditor parties. The two sets of information may have the same, 
overlapping and in part different, or entirely different, information content. 
Alternatively, the clearinghouse VDE node may be able to work with some or all of 
the provided audit information. The audit information may be, in part, or whole, in 
some summary and/or analyzed form further processed at the clearinghouse and/or may 
be combined with other information to form a, at least in part, derived set of 
information and inserted into one or more at least in part secure VDE objects to be 
communicated to said one or more (further) auditor parties. When an audit 
information container is securely processed at said clearinghouse VDE node by said 
inverse (return) audit method, the clearinghouse VDE node can create one or more 
VDE administrative objects for securely carrying audit information to other 
auditors while separately processing the secure audit information that is specified 
for use by said clearinghouse. Secure audit processes and credit information 
distribution between VDE participants normally takes place within the secure VDE 
"black box, " that is processes are securely processed within secure VDE PPE650 and 
audit information is securely communicated between the VDE secure subsystems of vDE 
participants employing VDE secure communication techniques (e.g., public key 
encryption, and authentication) . 

Detailed Description Text - DETX (1244) : 

One or more permissions records that manage the creation and use of an audit 
report object (and may manage other aspects of object use as well) may be received 
by a user's system during an audit information reporting exchange (or other 
electronic interaction between a user and an auditor or auditor agent) . Each 
received permissions record may govern the creation of the next audit report 
object. After the reporting of audit information, a new permissions record may be 
required at a user's VDE node to refresh the capability of managing audit report 
creation and audit information transfer for the next audit reporting cycle. In our 
above example, enabling an auditor to supply one or more permissions records to a 
user for the purpose of audit reporting may require that an auditor (such as a 
clearinghouse) has received certain, specified permissions records itself from 
"upstream" auditors (such as, for example, content and/or other content control 
information providers) . Information provided by these upstream permissions records 
may be integrated into the one or more permissions records at an auditor VDE (e.g., 
clearinghouse) installation that manage the permissions record creation cycle for 
producing administrative objects containing permissions records that are bound for 
users during the audit information reporting exchange. If an upstream auditor fails 
to receive, and/or is unable to process, required audit information, this upstream 
auditor may fail to provide to the clearinghouse (in this example) the required 
permissions record information which enables a distributor to support the next 
permission record creation/auditing cycle for a given one or more objects (or class 
of objects). As a result, the clearinghouse's VDE node may be unable to produce the 
next cycle's permissions records for users, and/or perform some other important 
process. This VDE audit reporting control process may be entirely electronic 
process management involving event driven VDE activities at both the intended audit 
information receiver and sender and employing both their secure PPE650 and secure 
VDE communication techniques. 

Detailed Description Text - DETX (1245) : 

In the. preferred embodiment, each time a user registers a new object with her 
own VDE node, and/or alternatively, with a remote clearinghouse and/or distributor 
VDE node, one or more permissions records are provided to, at least in part, govern 
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the use of said object. The permissions records, may be provided dynamically during 
a secure UDE registration process (employing the VDE installation secure 
subsystem) , and/or may be provided following an initial registration and received 
at some subsequent time, e.g. through one or more separate secure VDE 
communications, including, for example, the receipt of a physical arrangement 
containing or otherwise carrying said information. At least one process related to 
the providing of the one or more permissions records to a user can trigger a 
metering event which results in audit information being created reflecting the 
user's VDE node's, clearinghouse's, and/or distributor's permissions records 
provision process. This metering process may not only record that one or more 
permissions records have been created. It may also record the VDE node name, user 
name, associated object identification information, time, date, and/or other 
identification information. Some or all of this information can become part of 
audit information securely reported by a clearinghouse or distributor, for example, 
to an auditing content creator and/or other content provider. This information can 
be reconciled by secure VDE applications software at a receiving auditor's site 
against a user's audit information passed through by said clearinghouse or 
distributor to said auditor. For each metered one or more permissions records (or 
set of records) that were created for a certain user (and/or VDE node) to manage 
use of certain one or more VDE object (s) and/or to manage the creation of VDE 
object audit reports, it may be desirable that an auditor receive corresponding 
audit information incorporated into an, at least in part, encrypted audit report . 
This combination of metering of the creation of permissions records; secure, 
encrypted audit information reporting processes; secure VDE subsystem 
reconciliation of metering information reflecting the creation of registration 
and/or audit reporting permissions with received audit report detail; and one or 
more secure VDE installation expiration and/or other termination and/or other 
consequence processes; taken together significantly enhances the integrity of the 
VDE .secure audit reporting process as a trusted, efficient, commercial environment. 

Detailed Description Text - DETX (1283) : 

As mentioned above, an organization may employ VDE-enforced control capabilities 
to manage the security, distribution, integrity, and control of entire documents. 
Some examples of these capabilities may include: 1) A communication channel 
connecting two or more electronic appliances 600 may be assigned a set of permitted 
sensitivity attributes. Only documents whose sensitivity attributes belong to this 
set would be permitted to be transmitted over the channel. This could be used to 
support the Device Labels requirement of the Trusted Computer System Evaluation 
Criteria (TCSEC) . 2) A writable storage device (e.g., fixed disk, diskette, tape 
drive, optical disk) connected to or incorporated in an electronic appliance 600 
may be assigned a set of permitted sensitivity attributes. Only documents whose 
sensitivity attributes belong to this set would be permitted to be stored on the 
device. This could be used to support the TCSEC Device Labels requirement. 3) A 
document may have a list of users associated with it representing the users who are 
permitted to "handle" the document. This list of users may represent, for example, 
the only users who may view the document, even if other users receive the document 
container, they could not manipulate the contents. This could be used to support 
the standard ORCON handling caveat. 4) A document may have an attribute designating 
its originator and requiring an explicit permission ' to be granted by an originator 
before the document's content could be viewed. This request for permission may be 
made at the time the document is accessed by a user, or, for example, at the time 
one user distributes the document to another user. If permission is not granted, 
the document could not be manipulated or otherwise used. 5) A document may have an 
attribute requiring that each use of the document be reported to the document's 
originator. This may be used by an originator to gauge the distribution of the 
document. Optionally, the report may be required to have been made successfully 
before any use of the document is permitted, to ensure that the use is known to the 
controlling party at the time of use. Alternatively, for example, the report could 
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be made in a deferred ("batch") fashion. 6) A document may have an attribute 
requiring that each use of the document be reported to a central document tracking 
clearinghouse. This could be used by the organization to track specific documents, 
to identify documents used by any particular user and/or group of users to track 
documents with specific attributes (e.g., sensitivity), etc. Optionally, for 
example, the report may be required to have been made successfully before any use 
of the document is permitted. 7) A VDE protected document may have an attribute 
requiring that each use of the document generate a "return receipt," to an 
originator. A person using the document may be required to answer specific 
questions in order to generate a return receipt, for example by indicating why the 
document is of interest, or by indicating some knowledge of the document's contents 

(after reading it) . This may be used as assurance that the document had been 
handled by a person, not by any automated software mechanism. 8) A VDE protected 
document's content may be made available to a VDE-unaware application program in 
such a way that it is uniquely identifiable (traceable) to a user who caused its 
release. Thus, if the released form of the document is further distributed, its 
origin could be determined. This may be done by employing VDE "fingerprinting" for 
content release. Similarly, a printed VDE protected document may be marked in a 
similar, VDE fingerprinted unique way such that the person who originally printed 
the document could be determined, even if copies have since been made. 9) Usage of 
VDE protected documents could be permitted under control of budgets that limit 

(based on size, time of access, etc.) access or other usage of document content. 
This may help prevent wholesale disclosure by limiting the number of VDE documents 
accessible to an individual during a fixed time period. For example, one such 
control might permit a user, for some particular class of documents, to view at 
most 100 pages/day, but only print 10 pages/day and permit printing only on 
weekdays between nine and five. As a further example, a user might be restricted to 
only a certain quantity of logically related, relatively "contiguous" and/or some 
other pattern (such as limiting the use of a databases records based upon the 
quantity of records that share a certain identifier in field) of VDE protected 
document usage to identify, for example, the occurrence of one or more types of 
excessive database usage (under normal or any reasonable- circumstances) . As a 
result, VDE content providers can restrict usage of VDE content to acceptable usage 
characteristics and thwart and/or identify (for example, by generating an exception 
report for a VDE administrator or organization supervisor) user attempts to 
inappropriately use, for example, such an information database resource. 

Detailed Description Text - DETX (1293) : 

VDE repositories may also offer other VDE services. For example, a repository 
may choose to offer financial services in the form of credit from the repository 
that may be used to pay fees associated with use of VDE objects obtained from the 
repository. Alternatively or in addition, a VDE repository may perform audit 
information clearinghouse services on behalf of VDE creators or other participants 
(e.g. distributors, redistributors , client administrators, etc.) for usage 
information reported by VDE users. Such services may include analyzing such usage 
information, creating reports, collecting payments, etc. 

Detailed Description Text - DETX (1294) : 

A "full service" VDE repository may be very attractive to both providers and 
users of VDE managed content. Providers of VDE managed content may desire to place 
their content in a location that is well known to users, offers credit, and/or 
performs audit services for them. In this case, providers may be able to focus on 
creating content, rather than managing the administrative processes associated with 
making content available in a "retail" fashion, collecting audit information from 
many VDE users, sending and receiving bills and payments, etc. VDE users may find 
the convenience of a single location (or an integrated arrangement of repositories) 
appealing as they are attempting to locate content of interest. In addition, a full 
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service VDE repository may serve as a single location for the reporting of usage 
information generated as a consequence of their use of VDE managed content received 
from a VDE repository and/or, for example, receiving updated software (e.g. VDE- 
aware applications, load modules, component assemblies, non VDE-aware applications, 
etc.) VDE repository services may be employed in conjunction with VDE content 
delivery by broadcast and/or on physical media, such as CD-ROM, to constitute an 
integrated array of content resources that may be browsed, searched, and/or 
filtered, as appropriate, to fulfill the content needs of VDE users. 

Detailed Description Text - DETX (1302) : 

The information requested from author 3306A by the user/author registration 
system of the clearinghouse may, for example, consist of: VDE templates that author 
3306A may or must make use of in order to correctly format control information such 
that, for example, the audit system 3360 of the clearinghouse system 3302B is 
properly authorized to receive and/or process usage information related to content 
submitted by author 3306A, VDE control information available from the clearinghouse 
3302B that may or must be used by author 3306A (and/or included by reference) in 
some or all of the VDE component assemblies created and/or used by author 3306A 
associated with submitted content, the manner in which disbursement of any finds 
associated with usage of content provided by, passed through, or collected by the 
repository clearinghouse system 3302B should be made, the form and/or criteria of 
authorizations to use submitted content and/or financial transactions associated 
with content, the acceptable forms of billing for use of content and/or information 
associated with content (such as analysis reports that may be used by others) , how 
VDE generated audit information should be received, how responses to requests from 
users should be managed, how transactions associated with the receipt of audit 
information should be formatted and authorized, how and what forms of analysis 
should be performed on usage information, and/or under what circumstances (if any) 
usage information and/or analysis results derived from VDE controlled content usage 
information should be managed (including to whom they may or must be delivered, the 
form of delivery, any control information that may be associated with use of such 
information, etc.) 

Detailed Description Text - DETX (1312) : 

In addition to transaction information gathered when content is shipped from a 
VDE repository to an end user, the repository may be required to keep transaction 
information related to the receipt of usage information, requests, and/or responses 
to and/or from end users 3310. For example, author 3306A may require the repository 
to keep a log of some or all connections made by end users 3310 related to 
transmissions and or reception of information related to the use of author 3306A's 
content (e.g. end user reporting of audit information, end user requests for 
additional permissions information, etc.) 

Detailed Description Text - DETX (1314) : 

In order to provide a manageable user interface to the content available to VDE 
repository end users 3310 and to provide administrative information used in the 
determination of control information packaged in VDE content containers shipped to 
end users 3310, the repository in this example includes a content catalog 3322. 
This catalog is used to record information related to the VDE content in content 
storage, and/or content available through the repository reflected in content 
references. The content catalog 3322 may consist of titles of content, abstracts, 
and other identifying information. In addition, the catalog may also indicate the 
forms of electronic agreement and/or agreement VDE template applications (offering 
optional, selectable control structures and/or one or more opportunities to provide 
related parameter data) that are available to end users 3310 through the repository 
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for given pieces of content in deciding, for example, options and/or requirements 
for: what type(s) of information is recorded during such content's use, the charge 
for certain content usage activities, differences in charges based on whether or 
not certain usage information is recorded and/or made available to the repository 
and/or content provider, the redistribution rights associated with such content, 
the reporting frequency for audit transmissions, the forms of credit and/or 
currency that may be used to pay certain fees associated with use of such content, 
discounts related to certain volumes of usage, discounts available due to the 
presence of rights associated with other content from the same and/or different 
content providers, sales, etc. Furthermore, a VDE repository content catalog 3322 
may indicate some or all of the component assemblies that are required in order to 
make use of content such that the end user's system and the repository can exchange 
messages to help ensure that any necessary VDE component assemblies or other VDE 
control information is identified, and if necessary and authorized, are delivered 
along with such content to the end user (rather than, for example, being requested 
later after their absence has been detected during a registration and/or use 
attempt) . 

Detailed Description Text - DETX (1324) : 

Audit information (related to usage of content received from the repository) in 
this example is securely received from end users 3310 by the receipt system 3362 of 
the clearinghouse. As indicated above, this system may process the audit 
information and pass some or all of the output of such a process to the billing 
system and/or transmit such output to appropriate content authors. Such passing of 
audit information employs secure VDE pathway of reporting information handling 
techniques. Audit information, may also be passed to the analysis system in order 
to produce analysis results related to end user content usage for use by the end 
user, the repository, third party market researchers, and/or one or more authors. 
Analysis results may be based on a single audit transmission, a portion of an audit 
transmission, a collection of audit transmissions from a single end user and/or 
multiple end users 3310, or some combination of audit transmissions based on the 
subject of analysis (e.g. usage patterns for a given content element or collection 
of elements, usage of certain categories of content, payment histories, demographic 
usage patterns, etc.) The response system 3364 is used to send information to the 
end user to, for example, replenish a budget, deliver usage controls, update 
permissions information, and to transmit certain other information and/or messages 
requested and/or required by an end user in the course of their interaction with 
the clearinghouse. During the course of an end user's connections and transmissions 
to and from the clearinghouse, certain transactions (e.g. time, date, and/or 
purpose of a connection and/or transmission) may be recorded by the transaction 
system of the audit system to reflect requirements of the repository and/or 
authors . 

Detailed Description Text - DETX (1325) : 

Certain audit information may be transmitted to authors. For example, author 
3306A may require that certain information gathered from an end user be transmitted 
to author 3306A with no processing by the audit system. In this case, the fact of 
the transmission may be recorded by the audit system, but author 3306A may have 
elected to perform their own usage analysis rather than (or in addition to) 
permitting the repository to access, otherwise process and/or otherwise use this 
information. The repository in this example .may provide author 3306A with some of 
the usage information related to the repository's budget method received from one 
or more end users 3310 and generated by the payment of fees associated with such 
users 1 usage of content provided by author 3306A . In this case, author 3306A may 
be able to compare certain usage information related to content with the usage 
information related to the repository's budget method for the content to analyze 
patterns of usage (e.g. to analyze usage in light of fees, detect possible fraud, 
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generate user profile information, etc.) Any usage fees collected by the 
clearinghouse associated with author 3306A's content that are due to author 3306A 
will be determined by the disbursement system of the clearinghouse. The 
disbursement system may include usage information (in complete or summary form) 
with any payments to author 3306A resulting from such a determination. Such 
payments and information reporting may be an entirely automated sequence of 
processes occurring within the VDE pathway from end user VDE secure subsystems, to 
the clearinghouse secure subsystem, to the author's secure subsystem. 

Detailed Description Text - DETX (1328) : 

When an end user makes use of container content, their content usage information 
may, for example, be segregated in accordance with control structures that organize 
usage information based at least in part on the author who created that segment. 
Alternatively, the authors and/or the VDE repository 3302 may negotiate one or more 
other techniques for securely dividing and/or sharing usage information in 
accordance with VDE control information. Furthermore, control structures associated 
with a container may implement models that differentiate any usage fees associated 
with portions of content based on usage of particular portions, overall usage of 
the container, particular patterns of usage, or other mechanism negotiated (or 
otherwise agreed to) by the authors. Reports of usage information, analysis 
results, disbursements, and other clearinghouse processes may also be generated in 
a manner that reflects agreements reached by repository 3302 participants (authors, 
end users 3310 and/or the repository 3302) with respect to such processes. These 
agreements may be the result of a VDE control information negotiation amongst these 
participants. 

Detailed Description Text - DETX (1341) : 

An embedded content object within a parent VDE content container: (1) may have 
been a previously created VDE content container which has been embedded into a 
parent VDE content container by securely transforming it from an independent to an 
embedded object through the secure processing of one or more VDE component 
assemblies within a VDE secure sub-system PPE 650. In this instance, an embedded 
object may be subject to content control information, including one or more 
permissions records associated with the parent container, but may not, for example, 
have its own content control information other than content identification 
information, or the embedded object may be more extensively controlled by its own 
content control information (e.g. permissions records) . (2) may include content 
which was extracted from another VDE content container (along with content control 
information, as may be applicable) for inclusion into a parent VDE content 
container in the form of an embedded VDE content container object. In this case, 
said extraction and embedding may use one or more VDE processes which run securely 
within a VDE secure sub-system PPE 650 and which may securely remove (or copy) the 
desired content from a source VDE content container and place such content in a new 
or existing container object, either of which may be or become embedded into a 
parent VDE content container. (3) may include content which was first created and 
then placed in a VDE content container object. Said receiving container may already 
be embedded in a parent VDE content container and may already contain other 
content. The container in which such content is placed may be specified using a VDE 
aware application which interacts with content and a secure VDE subsystem to 
securely create such VDE container and place such content therein followed by 
securely embedding such container into the destination, parent container. 
Alternatively, .content may be specified without the use of a VDE aware application, 
and then manipulated using a VDE aware application in order to manage movement of 
the content into a VDE content container. Such an application may be a VDE aware 
word processor, desktop and/or multimedia publishing package, graphics and/or 
presentation package, etc. It may also be an operating system function {e.g. part 
of a VDE aware operating system or mini-application operating with an O/S such as a 
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Microsoft Windows compatible object packaging application) and movement of content 
from "outside" VDE to within a VDE object may, for example, be based on a "drag and 
drop" metaphor that involves "dragging" a file to a VDE container object using a 
pointing device such as a mouse. Alternatively, a user may "cut" a portion of 
content and "paste" such a portion into a VDE container by first placing content 
into a "clipboard, " then selecting a target content object and pasting the content 
into such an object. Such processes may, at the direction of VDE content control 
information and under the control of a VDE secure subsystem, put the content 
automatically at some position in the target object, such as at the end of the 
object or in a portion of the object that corresponds to an identifier carried by 
or with the content such as a field identifier, or the embedding process might pop- 
up a user interface that allows a user to browse a target object's contents and/or 
table of contents and/or other directories, indexes, etc. Such processes may 
further allow a user to make certain decisions concerning VDE content control 
information (budgets limiting use, reporting pathway(s), usage registration 
requirements, etc.) to be applied to such embedded content and/or may involve 
selecting the specific location for embedding the content, all such processes to be 
performed as transparently as practical for the application. (4) may be accessed in 
conjunction with one or more operating system utilities for object embedding and 
linking, such as utilities conforming to the Microsoft OLE standard. In this case, 
a VDE container may be associated with an OLE "link." Accesses (including reading 
content from, and writing content to) to a VDE protected container may be passed 
from an OLE aware application to a VDE aware OLE application that accesses 
protected content in conjunction with control information associated with such 
content . 

Detailed Description Text - DETX (1349) : 

A VDE activity related to VDE exporting and embedding involves performing one or 
more transformations of VDE content from one secure form to one or more other 
secure forms. Such transformation (s ) may be performed with or without moving 
transformed content to a new VDE content container (e.g. by component assemblies 
operating within a PPE that do not reveal, in unprotected form, the results or 
other output of such transforming processes without further VDE processes governing 
use of at least a portion of said content) . One example of such a transformation 
process may involve performing mathematical transformations and producing results, 
such as mathematical results, while retaining, none, some, or all of the content 
information on which said transformation was performed. Other examples of such 
transformations include converting a document format (such as from a WordPerfect 
format to a Word for Windows format, or an SGML document to a Postscript document), 
changing a video format (such as a QuickTime video format to a MPEG video format), 
performing an artificial intelligence process (such as analyzing text to produce a 
summary report ) , and other processing that derives VDE secured content from other 
VDE secured content. 

Detailed Description Text - DETX (1353) : 

Some of the usage control information (in this example, control information that 
a creator requires a distributor to provide in control information passed to users 
and/or user/distributors) specified by creator A may include, for example: (a) no 
moves (a form of distribution explained elsewhere in this document) of the content 
are permitted, and (b) distributors will be required to preserve (at a minimum) 
sufficient metering information within usage permissions in order to calculate the 
number of users who have accessed the container in a month and to prevent further 
usage after a rental has expired (e.g. by using a meter method designed to report 
access usages to creator A through a chain of handling and reporting, and/or the 
use of expiration dates and/or time-aged encryption keys within a permissions 
record or other required control information) . 
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Detailed Description Text - DETX (1359) : 

In this example, user A may receive control information related to creator A's 
VDE content container from distributor A. This control information may represent an 
extended agreement between user A and distributor A (e.g. regarding fees associated 
with use of content, limited redistribution rights, etc.) and distributor A and 
creator A (e.g. regarding the character, extent, handling, reporting, and/or other 
aspects of the use and/or creation of VDE controlled content usage information 
and/or content control information received, for example, by distributor A from 
creator A, or vice versa, or in other VDE content usage information handling) . Such 
an extended agreement is enforced by processes operating within a secure subsystem 
of each participant's VDE installation. The portion of such an extended agreement 
representing control information of creator A as modified by distributor A in this 
example is represented by D.sub.A (C.sub.A), including, for example, (a) control 
structures (e.g. one or more component assemblies, one or more permissions records, 
etc.), (b) the recording of usage information generated in the course of using, 
creator A's content in conformance with requirements stated in such control 
information, (c) making payments (including automatic electronic credit and/or 
currency payments "executed" in response to such usage) as a consequence of such 
usage (wherein such consequences may also include electronically, securely and 
automatically receiving a bill delivered through use of VDE, wherein such a bill is 
derived from said usage), (d) other actions by user A and/or a VDE secure subsystem 
at user A f s VDE installation that are a consequence of such usage and/or such 
control information. 

Detailed Description Text - DETX (1360) : 

In addition to control information D.sub.A (C.sub.A), user A may enforce her own 
control information on her usage of creator A's VDE content container (within the 
limits of senior content control information) . This control information may 
include, for example,- (a) transaction, session, time based, and/or other thresholds 
placed on usage such that if such thresholds (e.g. quantity limits, for example, 
self imposed limits on the amount of expenditure per activity parameter) are 
exceeded user A must give explicit approval before continuing, (b) privacy 
requirements of user A with respect to the recording and/or transmission of certain 
usage related details relating to user A f s usage of creator A's content, (c) backup 
requirements that user A places on herself in order to help ensure a preservation 
of value remaining in creator A's content container and/or local store of 
electronic, credit and/or currency that might otherwise be lost due to system 
failure or other causes. The right to perform in some or all of these examples of 
user A's control information, in some examples, may be negotiated with distributor 
A. Other such user specified control information may be enforced independent of any 
control information received from any content provider and may be set in 
relationship to a user's, or more generally, a VDE installation's, control 
information for one or more classes, or for all classes, of content and/or 
electronic appliance usage. The entire set of VDE control information that may be 
in place during user A's usage of creator A's content container is referred to on 
FIG. 80 as D.sub.A (D.sub.A (C.sub.A)). This set may represent the control 
information originated by creator A, as modified by distributor A, as further 
modified by user A, all in accordance with control information from value chain 
parties providing more senior control information, and therefore constitutes, for 
this example, a "complete" VDE extended agreement between user A, distributor A, 
and creator A regarding creator A's VDE content container. User B may, for example, 
also receive such control information D.sub.A (C.sub.A) from distributor A, and add 
her own control information in authorized ways to form the set U.sub.B (D.sub.A 
(C.sub.A) ) . 

Detailed Description Text - DETX (1361) : 
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User/distributor A may also receive VDE control information from distributor A 
related to creator A f s VDE content container. User/distributor A may, for example, 
both use creator A f s content as a user and act as a redistributor of control 
information. In this example, control information D.sub.A (C.sub.A) both enables 
and limits these two activities. To the extent permitted by D.sub.A (C.sub.A), 
user /distributor A may create their own control information based on D.sub.A 
(C.sub.A) — UD.sub.A (D.sub.A (C.sub.A)) — that controls both user/distributor A's 
usage (in a manner similar to that described above in connection with user A and 
user B) , and control information redistributed by user/distributor A (in a manner 
similar to that described above in connection with distributor A) . For example, if 
user/distributor A redistributes UD.sub.A (D.sub.A (C.sub.A)) to user/distributor 
B, user/distributor B may be required to report certain usage information to 
user/distributor A that was not required by either creator A or distributor A. 
Alternatively or in addition, user/distributor B may, for example, agree to pay 
user/distributor A a fee to use creator A's content based on the number of minutes 
user/distributor B uses creator A's content (rather than the monthly fee charged to 
user/distributor A by distributor A for user/distributor B f s usage). 

Detailed Description Text - DETX (1363) : 

As indicated in FIG. 79, user B may employ content from both user/distributor B 
and distributor A (amongst others) . In this example, as illustrated in FIG. 80, 
user B may receive control information associated with creator A's content from 
distributor A and/or user/distributor B. In either case, user B may be able to 
establish their own control information on D.sub.A (C.sub.A) and/or UD.sub.B 
(UD.sub.A (D.sub.A (C.sub.A))), respectively (if allowed by such control 
information. The resulting set(s) of control information, U.sub.B (D.sub.A 
(C.sub.A)) and/or U.sub.B (UD.sub.B (UD.sub.A (D.sub.A (C.sub.A)))) respectively, 
may represent different control scenarios, each of which may have benefits for user 
B. As described in connection with an earlier example, user B may have received 
control information from user/distributor B along a chain of handling including 
user/distributor A that bases fees on the number of minutes that user B makes use 
of creator A's content (and requiring user/distributor A to pay fees of $15 per 
month per user to distributor A regardless of the amount of usage by user B in a 
calendar month) . This may be more favorable under some circumstances than the fees 
required by a direct use of control information provided by distributor A, but may 
also have the disadvantage of an exhausted chain of redistribution and, for 
example, further usage information reporting requirements included in UD.sub.B 
(UD.sub.A (D.sub.A (C.sub.A))). If the two sets of control information D.sub.A 
(C.sub.A) and UD.sub.B (UD.sub.A (D.sub.A (C.sub.A))) permit (e.g. do not require 
exclusivity enforced, for example, by using a registration interval in an object 
registry used by a secure subsystem of user B's VDE installation to prevent 
deregistration and reregistration of different sets of control information related 
to a certain container (or registration of plural copies of the same content having 
different control information and/or being supplied by different content providers) 
within a particular interval of time as an aspect of an extended agreement for a 
chain of handling and control reflected in D.sub.A (C.sub.A) and/or UD.sub.B 
(UD.sub.A (D.sub.A (C.sub.A)))), user B may have both sets of control information 
registered and may make use of the set that they find preferable under a given 
usage scenario. 

Detailed Description Text - DETX (1364) : 

In this example, creator B creates a VDE content container associates a set of 
VDE control information with such container indicated in FIG. 81 as C.sub.B. FIG. 
81 further shows the VDE participants who may receive enabling control information 
related to creator B's VDE content container. In this example, control information 
may indicate that distributors of creator B's content: (a) must pay creator B $0.50 
per kilobyte of information decrypted by users and/or user/distributors authorized 



http://l 27.0.0. l:4343/C:/APPS/e^ 1/21/04 



DOCUMENT-IDENTIFIER: US 6363488 Bl 



Page 42 of 45 



by such a distributor, (b) may allow users and/or user/distributors to embed their 
content container in another container while maintaining a requirement that creator 
B receive $0.50 per kilobyte of content decrypted, (c) have no restrictions on the 
number of enabling control information sets that may be generated for users and/or 
user/distributors, (d) must report information concerning the number of such 
distributed control information sets at certain time intervals (e.g. at least once 
per month), (e) may create control information that allows users and/or 
user /distributors to perform up to three moves of their control information, (f) 
may allow redistribution of control information by user/distributors up to three 
levels of redistribution, (g) may allow up to one move per user receiving 
redistributed control information from a user /distributor . 

Detailed Description Text - DETX (1370) : 

In this example, creator C produces one or more sets of control information 
C.sub.C associated with a VDE content container created by creator C, as shown in 
FIG. 82. FIG. 82 further shows the VDE participants who may receive enabling 
control information related to creator C's VDE content container. The content in 
such a container is, in this example, organized into a set of text articles. In 
this example control information may include one or more component assemblies that 
describe the articles within such a container (e.g. one or more event methods 
referencing map tables and/or algorithms that describe the extent of each article) . 
C.sub.C may further include, for example: (a) a requirement that distributors 
ensure that creator C receive $1 per article accessed by users and/or 
user/distributors, which payment allows a user to access such an article for a 
period of no more than six months (e.g. using a map-type meter method that is aged 
once per month, time aged decryption keys, expiration dates associated with 
relevant permissions records, etc.), (b) control information that allows articles 
from creator C's container to be extracted and embedded into another container for 
a one time charge per extract/embed of $10, (c) prohibits extracted/embedded 
articles from being reextracted, (d) permits distributors to create enabling 
control information for up to 1000 users or user/distributors per month, (e) 
requires that information regarding the number of users and user/distributors 
enabled by a distributor be reported to creator C at least once per week, (f) 
permits distributors to enable users or user/distributors to perform up to one move 
of enabling control information, and (g) permits up to 2 levels of redistribution 
by user/distributors. 

Detailed Description Text - DETX (1376) : 

In this example, creator D may create a VDE content container that is designed 
primarily for integration with other content (e.g. through use of a VDE 
extracting/embedding process), for example, content provided by creator B and 
creator C. FIG. 83 shows the VDE participants who may receive enabling control 
information related a VDE content container produced by creator D. Control 
information associated with creator D's content (CD in FIG. 83) may include, for 
example: (a) a requirement that distributors make payment of either $1.50 per open 
per user, or $25 per user for an unlimited number of opens, (b) a discount of 20% 
for any user 'that has previously paid for an unlimited number of opens for certain 
other content created by creator D (e.g. implemented by including one or more 
billing methods that analyze a secure database of a user's VDE installation to 
determine if any of such certain other containers are registered, and further 
determines the character of rights held by a user purchasing rights to this 
container), (c) a requirement that distributors report the number of users and 
user/distributors enabled by control information produced in accordance with 
C.sub.D after such number exceeds 1000, (d) a requirement that distributors limit 
the number of moves by users and/or user/distributors to no more than one, (e) a 
requirement that distributors limit user/distributors to no more than four levels 
of redistribution, and (f) that distributors may create enabling control 
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information that permits other distributors to create control information as 
distributors, but may not pass this capability to such enabled distributors, and 
further requires that audit information associated with use of control information 
by such enabled distributors shall pass directly to creator D without processing by 
such enabling distributor and that creator D shall pay such an enabling distributor 
10% of any payments received by creator D from such an enabled distributor. 

Detailed Description Text - DETX (1398) : 

Commercial content repository 200g, in this example, may receive VDE protected 
(or otherwise securely delivered) content and distribution, permissions and/or 
other content usage control information from creator 102. Commercial content 
repository 200g may store content securely such that users may obtain such, when 
any required conditions are met, content from the repository 200g. The distribution 
permissions 3502 may, for example, permit commercial content repository 200g to 
create redistribution permissions and/or usage permissions 3500, 3502 using a VDE 
protected subsystem within certain restrictions described in content control 
information received from creator 102 (e.g., not to exceed a certain number of 
copies, requiring certain payments by commercial content repository 200g to creator 
102, requiring recipients of such permissions to meet certain reporting 
requirements related to content usage information, etc.). Such content control 
information may be stored at the repository installation and be applied to 
unencrypted content as it is transmitted from said repository in response to a user 
request, wherein said content is placed into a VDE container as a step in a secure 
process of communicating such content to a user. Redistribution permissions may, 
for example, permit a recipient of such permissions to create a certain number of 
usage permissions within certain restrictions (e.g., only to members of the same 
household, business other organization, etc.). Repository 200g may, for example, be 
required by control information received from creator 102 to gather and report 
content usage information from all VDE participants to whom the repository has 
distributed permissions. 

Detailed Description Text - DETX (1399) : 

In this example, power user 112d may receive VDE protected content and 
redistribution permissions from commercial content repository 200g using the 
desktop computer 3504. Power user 112d may, for example, then use application 
software in conjunction with a VDE secure subsystem of such desktop computer 3504 
in order to produce usage permissions for the desktop computer 3504, laptop 
computer 3506 and/or settop appliance 3508 (assuming redistribution permissions 
received from commercial content repository 200g permit such activities) . If 
permitted by senior control information (for example, from creator 102 as may be 
modified by the repository 200g) , power user 112d may add her own restrictions to 
such usage permissions (e.g., restricting certain members of power user 112d ! s 
household using the settop appliance to certain times of day, amounts of usage, 
etc. based on their user identification information). Power user 112d may then 
transmit such VDE protected content and usage permissions to the laptop computer 
3506 and the settop appliance 3508 using VDE secure communications techniques. In 
this case, power user 112d has redistributed permissions from the desktop computer 
3504 to the settop appliance 3508 and the laptop computer 3506, and periodically 
the settop appliance and the laptop computer may be required to report content 
usage information to the desktop computer, which in turn may aggregate, and/or 
otherwise process, and report user usage information to the repository 200g. 

Detailed Description Text - DETX (1400) : 

User 112e and/or user 112f may receive usage permissions and VDE protected 
content from commercial content repository 200g. These users may be able to use 
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